todoist
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill documentation explicitly instructs users to execute code directly from a remote URL using a piped shell command:
curl -sSL https://canifi.com/skills/todoist/install.sh | bash. This allows the external site to execute arbitrary code on the user machine without prior inspection. - [EXTERNAL_DOWNLOADS] (HIGH): The skill downloads resources from
canifi.com, which is not a recognized trusted source (e.g., official GitHub organizations of major AI companies), increasing the risk of malicious payload delivery. - [CREDENTIALS_UNSAFE] (MEDIUM): The skill documentation encourages users to store sensitive credentials like
SERVICE_PASSWORDandTODOIST_EMAILin an environment manager (canifi-env) that is installed via an untrusted script. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes external data from Todoist tasks and comments, creating a surface for indirect prompt injection.
- Ingestion points: Todoist task titles, descriptions, and comments (SKILL.md).
- Boundary markers: Absent; no instructions are provided to the agent to treat task content as untrusted data.
- Capability inventory: Task management and browser interaction via Playwright MCP (SKILL.md).
- Sanitization: Absent; the skill does not specify any sanitization or validation of the ingested task data.
Recommendations
- HIGH: Downloads and executes remote code from: https://canifi.com/skills/todoist/install.sh, https://canifi.com/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata