Missing User Warnings
Medium
- Confidence
- 95% confidence
- Finding
- The README explicitly recommends setting `httpOnly: false` as a quick fix for OAuth cookie handling, but provides no warning that this makes the token-bearing cookie readable by client-side JavaScript. In an OAuth context, that materially increases exposure to token theft via XSS, third-party scripts, browser extensions, or other client-side compromise, and the skill context makes this more dangerous because it presents the change as a proven solution for production troubleshooting.
