I found two shocking security issues
1) When creating a task with an attachment and exporting the view, the attachment is accessible via a public link (which is stored in the exported table). The link works without additional user authentication, which means: Anyone can access the attachments
2) even more shocking: when I delete this attachment in a task, the attachment is still accessible via that link. Which makes me wonder how the deletion of files is treated. Apparently they are still stored on clickup-servers.
A proper authentication method is absolutely needed. And the deletion of files should actually delete files. Please provide transparency here