Missing User Warnings
Medium
- Confidence
- 91% confidence
- Finding
- The document explicitly instructs users to persist a Google OAuth client secret and per-user OAuth tokens in `~/.canonry/config.yaml`, and states those tokens are stored there, but provides no warning about the file's sensitivity, access controls, or encryption. If that file is readable by other local users, committed to source control, included in backups, or exfiltrated by malware, an attacker could reuse refresh tokens and client credentials to access or manage connected Google Business Profile data.
