Missing User Warnings
Medium
- Confidence
- 92% confidence
- Finding
- The skill instructs users to place a live Todoist API token in a plaintext config file under their home directory without any guidance on file permissions, secret storage, or avoiding shell history leaks. This can expose credentials to other local users, backups, logs, or malware, enabling unauthorized access to the user's Todoist account.
