📦 Todoist — 任务管理
v0.2.1在 Todoist 中统一管理任务与项目,快速增删改查待办、提醒,一键同步进度,让个人与团队生产力飞升。
49· 1.8万·203 当前·211 累计
by 下载技能包
最后更新
2026/2/27
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
What to consider before installing or using this skill:
- The SKILL.md expects you to install a third-party npm package (todoist-ts-cli) and to provide a Todoist API token. The registry metadata you were shown does not list these requirements — ask the publisher to reconcile that mismatch.
- Verify the npm package: inspect the todoist-ts-cli package on npm (maintainer, source repo, reviews, recent releases) before installing. Prefer packages with a public GitHub repo and pinned releases.
- Be ca...详细分析 ▾
ℹ 用途与能力
The SKILL.md describes a Todoist CLI and its commands (adding, listing, completing tasks) which is coherent with the skill name and description. However, the skill's embedded metadata (in SKILL.md) lists required binary 'todoist' and env var 'TODOIST_API_TOKEN' while the registry-level metadata provided to you lists no required binaries or env vars — a clear inconsistency between what the skill claims it needs and what the registry declares.
✓ 指令范围
The instructions are narrowly scoped to installing and using a Todoist CLI: installing via npm, authenticating with a Todoist API token, and running typical task-management commands. They do not instruct reading arbitrary files or exfiltrating data to third-party endpoints beyond Todoist.
ℹ 安装机制
There is no formal install spec in the registry, but SKILL.md instructs 'npm install -g todoist-ts-cli@^0.2.0' — an npm global package install from the public registry (moderate-risk, expected for a CLI). This is not an arbitrary URL download, but the registry should have declared the dependency and required runtime (node/npm) — that omission is inconsistent.
⚠ 凭证需求
The CLI legitimately needs a Todoist API token (TODOIST_API_TOKEN) to operate. But the registry metadata you were given lists no required env vars or primary credential while the SKILL.md requires TODOIST_API_TOKEN and suggests running 'todoist auth <token>' (which typically persists credentials). The missing declaration of this credential and of where/how it will be stored is a proportionality and transparency concern.
ℹ 持久化与权限
The skill does not request always:true and does not require system-wide privileges. However, following its instructions will likely cause the CLI to write authentication state to disk (via 'todoist auth' or local npm package config). The registry did not declare any required config paths or note this local persistence.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.2.12026/1/8
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install todoist
镜像加速npx clawhub@latest install todoist --registry https://cn.longxiaskill.com