Missing User Warnings
Medium
- Confidence
- 93% confidence
- Finding
- The script sends both the Tavily API key and the user-supplied URLs to a third-party service, but provides no runtime disclosure or consent prompt to make that data flow explicit to the operator. In a CLI context this can cause unintended leakage of sensitive URLs, internal endpoints, or private query targets, especially if users assume the tool only performs local extraction.
