todoist-due-drafts

Overall, the skill is conceptually aligned with automating email drafts from Todoist outreach tasks and notifying the user. However, it introduces notable security concerns around credential exposure, data flows involving meeting transcripts, and autonomous drafting without explicit per-task user confirmation. The architecture relies on reading sensitive config (.env, user.json), uses multiple external services (Todoist, Granola, Grain, Gmail, WhatsApp), and then drafts and notifies in an automated fashion. These factors render the skill SUSPICIOUS with elevated risk, though not clearly malicious. The primary risk stems from credential access and potential unintended data leakage through context-rich drafts and notifications. Recommend adding explicit user consent prompts per task, minimizing credential exposure (e.g., scoped tokens, ephemeral drafts), auditing data flows, and ensuring logs do not capture sensitive content.