Missing User Warnings
Medium
- Confidence
- 95% confidence
- Finding
- The WebSocket example places the API key in the URL query string (`wss://.../ws?apiKey=KEY`). Query-string credentials are commonly exposed via logs, browser/devtool history, proxies, monitoring systems, shell history, and crash reports, making accidental credential leakage more likely than header-based auth. In a skill meant to be copied verbatim by agents and users, documenting this pattern without a warning materially increases leakage risk.
