todoist-setup

SUSPICIOUS: the core Todoist sync purpose is coherent, and direct calls to Todoist’s official API are expected, but the skill also downloads and runs an external MCP package via `npx` and forwards the user’s Todoist API key to it. Combined with raw local token storage and an autonomous sync mode, the footprint is broader and riskier than a minimal setup skill.