98
/ 100
1 month ago
glama

Todoist AI MCP Server

Enables AI agents to access and modify Todoist accounts to manage tasks and projects on the user's behalf. It provides a suite of tools for task operations and supports interactive UI widgets for a rich visual experience in AI chat interfaces.

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings
No credential exfiltration, no sensitive file access, no obfuscation
Static analysis found nothing flowing your secrets to unexpected places.
Open source with a license and README
Anyone can audit the code, the license is declared, and the publisher documents what it does.
🔐
You'll be asked for 1 credential: TODOIST_API_KEY
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// known CVEs in dependencies2 medium2 low

Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.

mediumdompurify@3.3.3GHSA-39q2-94rc-95cp

DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation

mediumdompurify@3.3.3GHSA-h7mw-gpvr-xq4m

DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)

lowdompurify@3.3.3GHSA-crv5-9vww-q3g8

DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode

lowdompurify@3.3.3GHSA-v9jr-rg53-9pgp

DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback

Depend on this server? Get alerted when its CVEs change.Watch this server free →
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
configMCP_TOKEN_BUDGET
configPORT
🔐 secretTODOIST_API_KEYconst client = new TodoistApi(process.env.)
configTODOIST_BASE_URL
configUSE_STRUCTURED_CONTENT
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance — verified publishers only
We have 2 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/doist-todoist-ai-5rclks)](https://m8ven.ai/mcp/doist-todoist-ai-5rclks)
commit: 98fc66e97ca9ae7004fe6b28706af753acce788c
code hash: 7d62fb69331ac071d585143f47bae0e5c7b4b149ae4cd628a1cd1353ffc7e699
verified: 6/11/2026, 11:23:20 AM
view raw JSON →
Todoist AI MCP Server · M8ven Trust Score | M8ven