todoist-api
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Metadata poisoning detected in
SKILL.md. The author is listed as 'OpenAI', which is a deceptive claim as the actual skill author is 'tristanmanchester'. This misrepresentation leverages the reputation of a trusted organization to gain undue trust in the skill's safety. - [PROMPT_INJECTION]: Vulnerability to indirect prompt injection through data processed from the Todoist API.
- Ingestion points: The skill retrieves user-controlled data such as task content, descriptions, and comments via
scripts/todoist_api.py(e.g., indo_get_tasksanddo_get_comments). - Boundary markers: No delimiters or instructions are used to distinguish untrusted data retrieved from the API from system prompts.
- Capability inventory: The skill possesses significant capabilities, including the ability to create, update, and delete tasks and projects, and to execute arbitrary API requests via the
rawcommand inscripts/todoist_api.py. - Sanitization: There is no evidence of sanitization or filtering of retrieved content in
scripts/todoist_api.pybefore it is incorporated into the agent's context.
Audit Metadata