todoist
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill interacts exclusively with the official Todoist API at api.todoist.com, which is a well-known and trusted service.
- [COMMAND_EXECUTION]: Shell commands are used appropriately to perform HTTP requests. The bash -c wrapper is a documented workaround for maintaining environment variables across pipes and does not introduce additional risk in this context.
- [CREDENTIALS_UNSAFE]: Sensitive tokens are managed via the vm0_secrets manifest field, ensuring that the TODOIST_TOKEN is injected securely at runtime rather than being hardcoded in the skill.
- [DATA_EXFILTRATION]: No unauthorized data transmission was detected; network activity is limited to the functional requirements of managing tasks via the Todoist API.
Audit Metadata