action-items-todoist
Warn
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill interpolates untrusted data, such as meeting titles and summaries extracted from external transcripts, directly into shell command arguments for
todoist-cliandskill_log.py. If meeting content contains shell metacharacters or unbalanced quotes, it could lead to command injection. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it processes untrusted meeting data to drive its decision-making and email drafting.
- Ingestion points: Meeting summaries and full transcripts fetched via
mcporterfrom Granola and Grain (SKILL.md, Steps 1 and 2). - Boundary markers: No boundary markers or 'ignore' instructions are used when processing the external meeting text.
- Capability inventory: The skill has the ability to execute shell commands (
todoist-cli,gog,python3), write to local state files, and draft outbound emails via a referenced email-drafting skill. - Sanitization: No sanitization or validation steps are defined for the data ingested from meeting transcripts before it is used to generate tasks or emails.
- [DATA_EXPOSURE]: The skill accesses sensitive local configuration and environment files, including
{user.workspace}/.envand~/executive-assistant-skills/config/user.json, to retrieve user identities and API credentials.
Audit Metadata