Missing User Warnings
Medium
- Confidence
- 93% confidence
- Finding
- The documentation explicitly describes use of a service-level API key and endpoints that expose sensitive user information such as email, credit balance, and study data, but it provides no safeguards around key storage, least-privilege usage, or restrictions on exposing returned data. In an agent skill context, this is dangerous because skills often automate requests and may log, embed, or mishandle service credentials, turning the documented API into a pathway for unauthorized access to user data across accounts.
