Todoist API integration with managed OAuth. Manage tasks, projects, sections, labels, and comments. Use this skill when users want to create, update, complet...
Security Analysis
high confidenceThe skill's requests and instructions are consistent with a Todoist integration that proxies requests through a third‑party gateway (Maton); it requires a single Maton API key which is proportionate but sensitive, and there is no local install or unexpected file access.
The name/description (Todoist integration with managed OAuth) matches the behavior in SKILL.md: all API calls are routed through maton.ai gateway/ctrl endpoints and the skill asks only for a Maton API key. There are no unrelated binaries, config paths, or extra credentials requested.
Runtime instructions are narrow and concrete: they show how to call gateway.maton.ai and ctrl.maton.ai using the MATON_API_KEY and how to complete OAuth via a browser URL. The instructions do not read arbitrary files, shell history, or other environment variables beyond MATON_API_KEY, nor do they direct data to unexpected endpoints outside the Maton/Todoist proxy flow.
No install spec and no code files means nothing is written to disk by the skill itself. This is the lowest-risk install posture.
The skill requires a single env var (MATON_API_KEY), which is consistent with using Maton's managed OAuth gateway. However, this API key is sensitive: anyone holding it (or the gateway) can act on the user's Todoist connections, so trust in Maton is required. The skill does not request unrelated secrets.
always is false and there is no install-time writing or modification of other skills or system-wide settings. The skill does not request persistent or elevated platform privileges.
Guidance
This skill is internally consistent, but it routes Todoist access through a third‑party service (Maton). Before installing: 1) Treat MATON_API_KEY like a secret—only provide it if you trust maton.ai. 2) Verify Maton's privacy/security and what scopes are granted during the OAuth flow (the gateway will hold OAuth tokens for your Todoist account). 3) If you prefer not to route tokens through a proxy, consider using a skill that integrates directly with Todoist or one where you control the OAuth client. 4) Because the skill is instruction‑only (no local code), local filesystem risk is low, but network/third‑party trust remains the primary consideration.
Latest Release
v1.0.3
- Switched API endpoints from `/rest/v2` to `/api/v1` for all Todoist requests. - Updated base URLs and code examples to reflect the new API version. - Adjusted response examples and field names to match the v1 API structure. - Clarified quick start instructions and connection header usage with new endpoint paths.
More by @byungkyu
Published by @byungkyu on ClawHub
