action-items-todoist

The skill is coherently designed to automate action-item extraction, task creation, and follow-up drafting, but it relies on multiple external, potentially unverifiable binaries (mcporter, todoist-cli, Grain MCP) and accesses sensitive local config and tokens. The absence of verified sourcing for these binaries and the broad data flows to external services elevate security risk. The workflow is plausible for legitimate use but should be treated as SUSPICIOUS until unverifiable components are replaced with verifiable, auditable equivalents (official registries, signed binaries, or self-hosted equivalents) and secret handling is hardened (no logging of tokens, minimized blast radius).