Jane, this looks like it could be useful, and thanks for your efforts in making it available. I bring this up rather reluctantly, but I’m always wary of granting full account authorization to third-party apps. While I trust your intentions, I don’t know your programming and software auditing skills, and am concerned when you say “vibe-coded.” Even though i trust that you do not intentionally have anything but “GET” API calls, granting such authorization could conceivably, however unlikely, lead to completely wiping out a user’s iNaturalist account, and I couldn’t bring myself to try it. As it’s on github, I could do my own audit to make sure its safe, but I’m not sure I trust my own skills that much, either.
This really goes to a larger issue: The iNaturalist community is built largely on trust, and iNaturalist itself has lots of methods for supporting this trust (mostly via flags and curators for cases where that trust is violated either through bad intent or honest mistakes). However, for third-party software add-ons, how do we know what’s reliable and trustworthy? For simple query-based add-ons that provide alternative displays for public data, there are not big issues. But when we’re dealing with add-ons that require private (authorized) access, there can be severe consequences to programming errors (or even potentially malicious code). How do we decide what’s safe?