calendar-mcp

The project is open source and auditable. No 'eval' or obfuscation is present. Authentication for Microsoft accounts (M365, Outlook.com) uses MSAL with OS-level encrypted token storage (DPAPI on Windows, Keychain on macOS). However, Google account tokens are stored in plaintext JSON files locally, although restricted by file permissions, which is explicitly noted as a known limitation and a future enhancement for encryption. Google client secrets are explicitly shown in `appsettings.json` examples and are requested via the CLI, despite documentation strongly recommending against storing secrets in configuration files and advising the use of environment variables instead. This creates a potential for user error if `appsettings.json` is not adequately secured or accidentally committed to source control (though `.gitignore` should prevent this for development files). No obvious malicious network risks or patterns were found.