todoist-due-drafts
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes several local CLI tools including 'todoist-cli' for task retrieval, 'mcporter' for transcript access, and 'gog' for Gmail operations. It also runs a Python script 'cron_canary.py' from a path defined in the user's configuration and sources a local '.env' file.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted data from external sources including Todoist task titles/descriptions, meeting transcripts from Granola/Grain, and Gmail thread content.
- Ingestion points: Todoist task lists, meeting transcript queries (mcporter), and Gmail message history (gog).
- Boundary markers: Absent. The instructions do not specify delimiters for external content when constructing prompts for the drafting sub-skill.
- Capability inventory: The agent can create Gmail drafts and send WhatsApp messages.
- Sanitization: No explicit sanitization or validation of the ingested text is performed before interpolation into the drafting process.
- [DATA_EXFILTRATION]: The skill extracts information from tasks and email accounts to generate a summary report sent to a configured WhatsApp number. While this is the intended functionality for the user, it involves moving sensitive task and contact data to an external messaging platform.
Audit Metadata