todoist-automation
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves and acts upon data from the Todoist API. If a task description contains malicious instructions, the agent might inadvertently execute them.
- Ingestion points: Untrusted data is ingested via TODOIST_GET_ALL_TASKS, TODOIST_GET_ALL_PROJECTS, and TODOIST_GET_ALL_SECTIONS in SKILL.md.
- Boundary markers: No boundary markers or instructions to ignore embedded commands are present in the skill's logic.
- Capability inventory: The skill provides extensive capabilities to modify the user's account, including TODOIST_CREATE_TASK, TODOIST_UPDATE_TASK, and TODOIST_DELETE_TASK in SKILL.md.
- Sanitization: No sanitization or filtering of the retrieved data is mentioned or implemented.
- [EXTERNAL_DOWNLOADS]: The setup process requires the user to add a remote MCP server from https://rube.app/mcp, which is used to provide the underlying tool functionality.
Audit Metadata