abhiz123/todoist-mcp-server

Minor capabilities, nothing alarming.

Environment variables (config / keys) 1

AI review

No prompt injection, hidden instructions, or deceptive tool descriptions found. The extension reads the Todoist API token from environment variables as expected and only interacts with the Todoist API for task management.

low Environment variable usage is appropriate — The TODOIST_API_TOKEN is read from process.env at src/index.ts:145, which is standard and secure for MCP servers. No exfiltration or unexpected transmission of credentials is present.

Model: deepseek-chat

Static findings

Environment variables (config / keys) · Reads environment variables (config / API keys)

low src/index.ts:145 const TODOIST_API_TOKEN = process.env.TODOIST_API_TOKEN!;

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.

abhiz123/todoist-mcp-server

AI review

Static findings

Environment variables (config / keys) · Reads environment variables (config / API keys)

Scanning every extension your team installs?

Get early access