Missing User Warnings
Medium
- Confidence
- 97% confidence
- Finding
- The skill mandates writing MARKETUP_API_KEY to a global env file and even requires the agent to execute that setup flow automatically when the variable is missing. Persisting credentials to a shared global configuration path without an explicit warning or consent step can expose secrets to other skills, users, backups, or processes on the host and creates lasting compromise if the endpoint or machine is later accessed by an attacker.
