Missing User Warnings
Medium
- Confidence
- 95% confidence
- Finding
- The skill sends the user-supplied `shopInput` to an external API endpoint on a third-party domain (`https://rakuten.845817074.xyz`) without any visible disclosure, consent prompt, or data-handling notice. Even if the expected input is only a shop URL or shop code, users may provide broader business-sensitive URLs or identifiers, and the code transmits them off-platform automatically.
