Hey! Thank you.
Security is obviously a massive concern. This is one of the reasons why the project is completely open source. Every line of code is readable on the Github page I linked in the post.
Right now, the only way someone could access the one’s API keys would be if they could already access one’s Obsidian vault. If you back up to Google Drive, they’ll be visible there. The same for any other cloud-sync provider.
The API keys are stored as any other setting in Obsidian (JSON format in a local file).
I have been toying with the idea of a ‘secure-mode’ where you’d have to enter a password to tweet. Here, the API keys entered would be hashed by a password, which would have to be entered every time one would want to tweet.
Another concern would be if a malicious Obsidian plugin targeted users of this plugin. This could perhaps be circumvented by the aforementioned ‘secure-mode’.
I have not used Roam for more than an hour. I do not know which security concerns there have been in regards to tweeting from Roam. I could imagine that the online-vs-local formats of Roam contra Obsidian makes this a separate case.
I am more than open to suggestions or improvements. I do not want security to be an issue here. I want people to feel safe using this plugin.