mcp-evernote

The server securely handles Evernote OAuth tokens, storing them locally or using environment variables, with explicit warnings against committing secrets. The `auth-standalone.ts` script runs a local Express server on `localhost` for the OAuth callback, which is a standard and safe practice for local authentication flows. The server supports user-configured webhooks for change notifications (`EVERNOTE_WEBHOOK_URL`). While this involves making outbound network requests to a user-defined URL, the functionality is documented and the responsibility for ensuring the webhook endpoint's trustworthiness lies with the user. The data sent to webhooks is specific Evernote change data (GUIDs, titles, timestamps), not broader sensitive system information. No `eval` or code obfuscation was found, and the codebase appears clean.