todoist-mind

The skill contains a hardcoded API token in 'references/API_CONFIG.json', which is a significant security risk and credential leak. There is also a critical contradiction between 'SKILL.md' and 'references/SECURITY.md' regarding whether the token should be stored in a configuration file or an environment variable, which could lead to improper secret management by the user. Furthermore, the script 'scripts/todoist_api.py' uses an unconventional API base URL (api.todoist.com/api/v2) and performs a full data sync ('resource_types': ['all']) on every execution, which is excessive for simple task management.