Missing User Warnings
Low
- Confidence
- 90% confidence
- Finding
- The README states that the skill connects to Swiggy HTTP MCP servers and triggers OAuth, but it does not clearly disclose that user data such as account identity, delivery address/location, search queries, cart contents, and booking/order details will be transmitted to Swiggy-operated services. This is primarily a transparency and privacy-notice issue rather than an exploit primitive, but users may unknowingly expose sensitive personal or behavioral data when using the skill.
