58
grade D
10 days ago
pulsemcp
Microsoft To Do
Self-hosted Microsoft To Do with SQLite workaround for personal account list limitations.
Install from
M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.
// key findings
⚠️
Known vulnerabilities in dependencies: 3 high
Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.
✅
No credential exfiltration, no sensitive file access, no obfuscation
Static analysis found nothing flowing your secrets to unexpected places.
✅
Open source with a license and README
Anyone can audit the code, the license is declared, and the publisher documents what it does.
🔐
You'll be asked for 3 credentials: CLIENT_SECRET, DASHBOARD_PASSWORD, MCP_API_KEY
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// required environment variables
This server reads these from
process.env. You'll be asked to provide them before it can run.config
CLIENT_ID— your_azure_app_client_id🔐 secret
CLIENT_SECRET— your_azure_app_client_secret🔐 secret
DASHBOARD_PASSWORD— your_dashboard_pass # set this — protects /authconfig
DASHBOARD_USERNAME— admin # username for dashboard loginconfig
LIST_DB_PATH🔐 secret
MCP_API_KEY— your_secret_api_key # openssl rand -hex 32config
MSTODO_TOKEN_FILEconfig
PORTconfig
PUBLIC_URLconfig
REDIRECT_URIconfig
TENANT_ID// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance — verified publishers only
We have 6 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[](https://m8ven.ai/mcp/akkilesh-a-microsoft-todo-mcp-server-self-hosted-untk9a)commit: d76ad0b936efc7c701d46546a894e0ff36b40174
code hash: b3ee9d8e80df430ad2a55694e1ea345a7b421ef299998fd15165ed536b21d586
verified: 4/11/2026, 1:52:52 PM