Intent-Code Divergence
Medium
- Confidence
- 98% confidence
- Finding
- The local MCP example embeds `MONDAY_API_TOKEN` directly in JSON configuration as `"your_token_here"`, which contradicts earlier guidance not to persist secrets in files. This creates a realistic risk of credential exposure through local file disclosure, backups, screenshots, or accidental commits, especially because config files are commonly long-lived and broadly readable.
