Missing User Warnings
Medium
- Confidence
- 88% confidence
- Finding
- The skill instructs users to obtain, store, and reuse a bearer token but does not warn that the token is sensitive, should not be exposed in logs, prompts, screenshots, or repos, and is shown only once. Because this is a user-invocable skill centered on making authenticated external API calls, omission of token-handling guidance increases the chance of credential leakage and subsequent unauthorized actions against the user's pet account.
