Missing User Warnings
Medium
- Confidence
- 86% confidence
- Finding
- The reference documents use of a user-supplied `callback_url` that will receive task state and result notifications, but it does not explicitly warn that task metadata and potentially result URLs will be transmitted to an external endpoint. In a skill context, this can lead to unintentional data disclosure or SSRF-style misuse if downstream implementations accept arbitrary callback targets without validation or user consent.
