todoist-setup
Warn
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill configures and runs an external package from a public registry at runtime.
- Evidence: The setup flow adds a command to
.mcp.jsonthat usesnpx -y todoist-mcp-serverto fetch and execute the server code. - [EXTERNAL_DOWNLOADS]: The skill depends on a remote package from the npm registry that is not from a verified trusted organization.
- Evidence: Reference to
todoist-mcp-serverin the MCP configuration step. - [CREDENTIALS_UNSAFE]: The skill handles sensitive authentication tokens and persists them in multiple local configuration files.
- Evidence: The skill prompts for a Todoist API token and writes it to both
System/integrations/config.yamland.mcp.jsonunder theenvsection. - [COMMAND_EXECUTION]: The skill executes shell commands to validate connectivity to the external service.
- Evidence: Execution of
curl -s -H "Authorization: Bearer $API_KEY" https://api.todoist.com/api/v1/projectsto test the token. - [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection by ingesting untrusted task data from an external API.
- Ingestion points: Task titles and descriptions fetched from Todoist via the
todoist-mcp-serverorcurlcalls. - Boundary markers: Uses a
[dex:task-ID]marker for loop prevention, but lacks explicit delimiters or instructions for the model to ignore embedded commands in task data. - Capability inventory: The skill has the ability to execute shell commands (
npx,curl) and modify local configuration files. - Sanitization: No evidence of sanitization or validation of the task content retrieved from the Todoist API before it is processed by the agent.
Audit Metadata