ICUICU
critical

todoist-mcp

v1.3.0

Todoist MCP Server

npmstanislavlysenkoFirst seen Feb 22, 2026

7

Total

1

Critical

2

High

4

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    7: }
    8: export const config = {
>>> 9:     API_KEY: process.env.API_KEY ?? '',
    10: };
    11: export { version } from './version.js';
Report false positive
highSC-003Suspicious CommandsMedium ConfidenceLine 0

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    60:         const pathParamRegex = /{([^}]+)}/g;
    61:         let match;
>>> 62:         while ((match = pathParamRegex.exec(options.path)) !== null) {
    63:             const fullMatch = match[0]; // e.g., "{id}"
    64:             const paramName = match[1]; // e.g., "id"
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: r���䲝�)�v�vW�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    69:         const url = `${API_BASE_URL}${endpoint}`;
    70:         log(`Making POST request to: ${url} with data:`, JSON.stringify(data, null, 2));
>>> 71:         const response = await fetch(url, {
    72:             method: 'POST',
    73:             headers: this.getHeaders(true),
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    84:         const url = `${API_BASE_URL}${endpoint}`;
    85:         log(`Making DELETE request to: ${url}`);
>>> 86:         const response = await fetch(url, {
    87:             method: 'DELETE',
    88:             headers: this.getHeaders(),
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    98:         const url = `${API_BASE_URL}/sync`;
    99:         log(`Making SYNC request to: ${url} with commands:`, JSON.stringify(commands, null, 2));
>>> 100:         const response = await fetch(url, {
    101:             method: 'POST',
    102:             headers: this.getHeaders(true),
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    49:         }
    50:         log(`Making GET request to: ${url}`);
>>> 51:         const response = await fetch(url, {
    52:             method: 'GET',
    53:             headers: this.getHeaders(),
Report false positive

Scan History

DateRiskFindings
Feb 26, 2026critical7
Feb 23, 2026critical7
Feb 22, 2026critical7