Is Todoist for Chrome: Planner & Calendar safe to use?

Todoist for Chrome: Planner & Calendar has a risk level of MEDIUM with an overall risk score of 4.3/10. Our scan detected 96 security findings. This extension has some risks worth reviewing.

What permissions does Todoist for Chrome: Planner & Calendar request?

Todoist for Chrome: Planner & Calendar requests the following permissions: storage, tabs, contextMenus, declarativeNetRequestWithHostAccess, webNavigation, scripting. It also requests host access to: http://*.todoist.com/*, https://*.todoist.com/*, http://mail.google.com/*, https://mail.google.com/*.

What is Todoist for Chrome: Planner & Calendar's risk score?

Todoist for Chrome: Planner & Calendar has an overall risk score of 4.3/10 (MEDIUM). Breakdown: Permissions 7.5/10, Code 3.5/10, Combinations 0.0/10, CSP 5.8/10.

ExtSafe

Todoist for Chrome: Planner & CalendarSecurity Analysis

Chromev12.21.1MV3February 18, 2026 at 12:07 PM

Use with caution

This extension requests significant permissions. Review the findings below before installing.

4.3MEDIUM

4.3 MEDIUM

This extension shows some risk signals that are common in legitimate extensions but worth reviewing. Check the details below.

Based on 10 permissions including high-risk ones, 88 code findings.

Permissions

7.5/10

Code

3.5/10

Combinations

0.0/10

Manifest/CSP

5.8/10

Permissions(10 analyzed)

Code Findings(17 patterns, 88 total)

Content Security Policy

No CSP Defined(1 issue)

MEDIUM

N/ANo CSP defined

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Manifest Analysis(3 findings)

Resolved from __MSG_* i18n placeholders:

Name: Todoist for Chrome: Planner & Calendar

Description: Organize work and life with Todoist for Chrome

HIGH

web_accessible_resourcesJS files exposed to web pages

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

MEDIUM

web_accessible_resourcesJS files exposed to web pages

JavaScript files are exposed as web-accessible resources. Matched websites can load and interact with extension scripts.

External Domains(21)

${domainaddons.mozilla.orgapi.inboxsdk.comapp.todoist.combugs.chromium.orgbugs.webkit.orgcode.google.comecma-international.orggithub.comgroups.google.commail.google.commathiasbynens.bemdn.iomths.bemyaccount.google.plusregister.inboxsdk.comstackoverflow.comwonko.comwww.ecma-international.orgwww.inboxsdk.com