MCPVet
Clean
Environment variables (config / keys) 1
AI review
This is a straightforward Todoist MCP server that reads an API token from environment variables and exposes tools for task management. No hidden instructions, deceptive tool descriptions, or data exfiltration mechanisms were found.
- low Standard API token usage via environment variable — The server reads TODOIST_API_TOKEN from process.env, which is the expected and secure pattern for MCP servers. No code attempts to read or exfiltrate other secrets.
Model: deepseek-chat
Static findings
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
src/index.ts:145
const TODOIST_API_TOKEN = process.env.TODOIST_API_TOKEN!;
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.