Greg Pierce writing about the URL scheme security in Drafts:
If you use Drafts automation features and are concerned about the security implications, I highly recommend you enable the URL key setting. As with most security measures, the downside of this setting is convenience. You will have edit custom actions you download to include this “key=[your key]” parameter for them to work. Note that since the value is editable, if you use Drafts on multiple devices you can set the value to match on all your devices to more easily share actions.
He is responding to Guillaume Ross’ post on security vulnerabilities.