4todo

This SKILL.md is coherent and proportionate for its stated purpose: controlling a user's 4to.do account via the service API. It requests the minimal credential necessary (a bearer token) and provides appropriate guidance to avoid embedding secrets in chat or repos, recommends per-run env injection, and restricts network calls to the official 4to.do API. The primary residual risk is credential exposure if the host or agent runtime logs environment variables or executed shell commands; operators should ensure the runtime does not record tokens in logs or history. No evidence of malicious intent, third-party exfiltration endpoints, download-execute chains, or obfuscated/malicious code is present in this instruction file.