obsidian-todoist-sync
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Provides links to the official Obsidian plugin registry and the developer's project documentation on GitHub Pages for plugin setup and installation. These are standard and well-known resources for Obsidian plugin users.
- [CREDENTIALS_UNSAFE]: Discusses the requirement for a Todoist API token and its storage in the
.obsidian/todoist-tokenfile. The documentation specifically advises users to exclude this file from synchronization to prevent credential exposure. - [PROMPT_INJECTION]: Identifies a surface for indirect prompt injection as the skill facilitates the rendering of external task data from Todoist into Obsidian notes.
- Ingestion points: Todoist task metadata (titles, descriptions) is fetched via API and displayed in the vault using query blocks as documented in
references/query-blocks.md. - Boundary markers: The skill describes the use of standard YAML code block delimiters for task queries.
- Capability inventory: The agent can read and process note content containing this synced data within the vault.
- Sanitization: The provided reference material does not specify sanitization procedures for the imported task content, relying on the user's control of their Todoist account.
Audit Metadata