todoist-automation
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the configuration of an external Model Context Protocol (MCP) server at
https://rube.app/mcp. This creates a dependency on a third-party service to provide the underlying tools and logic for Todoist automation. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection attacks because it ingests and processes untrusted data from a user's Todoist account.
- Ingestion points: Data enters the agent's context through tools like
TODOIST_GET_ALL_TASKSandTODOIST_GET_ALL_PROJECTS(SKILL.md). - Boundary markers: There are no delimiters or instructions provided to the agent to treat task content or project names as untrusted data or to ignore instructions contained within them.
- Capability inventory: The skill has significant capabilities, including the ability to delete tasks (
TODOIST_DELETE_TASK), delete sections (TODOIST_DELETE_SECTION), and modify account details through bulk operations. - Sanitization: There is no evidence of sanitization, filtering, or validation of the strings retrieved from the Todoist API before they are passed to the agent's reasoning engine.
Audit Metadata