todoist-cli
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill reads task data (names, descriptions, and comments) from the Todoist API, which is an external source that can be controlled by attackers. This untrusted data is processed by the agent which has direct write and execute capabilities. An attacker could create a task containing malicious instructions that trigger the agent to perform unauthorized actions.\n
- Ingestion points:
todoist tasks,todoist search,todoist view, andtodoist commentcommands as documented inSKILL.md.\n - Boundary markers: Absent. The skill provides no instructions to separate task content from system commands.\n
- Capability inventory: Command execution via
todoist add,todoist delete, andtodoist update.\n - Sanitization: Absent. Content is processed as raw text without filtering or escaping.\n- [Unverifiable Dependencies] (MEDIUM): The skill recommends installing a CLI binary from an untrusted GitHub repository (
buddyh/todoist-cli) viabreworgo install. This repository is not an official Todoist source and does not belong to the trusted organizations list, posing a supply chain risk.\n- [Command Execution] (MEDIUM): The skill is built around executing shell commands via thetodoistbinary. When combined with the lack of input sanitization for external content, this capability presents a risk of command injection or manipulation via the agent's logic.
Recommendations
- AI detected serious security threats
Audit Metadata