Missing User Warnings
Medium
- Confidence
- 83% confidence
- Finding
- The README instructs users to place sensitive Strava OAuth credentials, including refresh tokens and client secrets, into a local configuration file but does not warn about protecting those secrets or the privacy implications of exposing fitness and profile data. While this file is documentation rather than executable code, the omission can lead users to mishandle long-lived credentials and personal activity data, increasing risk of unauthorized account access if the config is exposed.
