Missing User Warnings
Medium
- Confidence
- 91% confidence
- Finding
- The skill documentation explicitly shows plaintext credentials in the config and describes automated login flows, but provides no warning about secret handling, storage, or leakage risks. In practice, users may paste real credentials into JSON files, shell history, logs, agent traces, or shared artifacts, increasing the chance of credential disclosure and downstream unauthorized access.
