Todoist MCP (Vulnerable)
v0.2.5
Verified
Todoist task management. WARNING: API token logged to console in debug mode, potential credential theft.
By CommunityMIT
typescript
automation
920stars
24.0Kdownloads
125forks
Scanned Feb 8, 2026
D48%
Scanned 3w ago
Poor Security
Vulnerabilities Found
2Crit
2High
3Med
3Low
4Info
Security ScoreD
48
out of 100
Vulnerabilities Found
2
Crit
2
High
3
Medi
3
Low
4
Info
Last scanned: 2/8/2026
Quality ScoreF
55
out of 100
55
Maint.
52
Popular
55
Docs
58
Compat
Maintenance55%
Popularity52%
Documentation55%
Compatibility58%
Maintenance55
Recent
10 days agoCommit Frequency51%
Release Frequency45%
Issue Response50%
Popularity52
920
Stars
24.0K
Downloads
125
Forks
Stars Score54%
Downloads Score62%
Forks Score56%
Documentation55
README Quality78%
Available Documentation
API DocsExamplesChangelog
Compatibility58
MCP Spec Compliance60%
Transport Support50%
Features
TypeScript
Supported Transports
STDIO
Vulnerabilities(14)
2Critical
2High
3Medium
3Low
4Info
Filter:
READMETodoist MCP (Vulnerable)
Todoist MCP Server
⚠️ CREDENTIAL EXPOSURE WARNING ⚠️
Issue
The Todoist API token is logged to console output when debug mode is enabled.
Risk
- Token visible in terminal history
- Token captured in log files
- Token exposed to other processes
Mitigation
- Never enable debug mode with real credentials
- Rotate API token if exposed
- Use environment variables
Status
Fixed in v0.3.0, upgrade required.
Embed Security Badge
Add this badge to your README or documentation
[](https://mcpsafe.org/registry/todoist-mcp-vuln)Need more customization options?Badge Documentation
Server Information
- Source
- NPM
- Package
- todoist-mcp-server
- Version
- 0.2.5
- Language
- typescript
- License
- MIT
- Transport
- STDIO
- Added
- Jan 20, 2026
- Updated
- Feb 8, 2026