Missing User Warnings
Medium
- Confidence
- 95% confidence
- Finding
- The documentation describes a service-level API key and endpoints that return sensitive user information such as email, credit balance, and study stats, but it provides no security guidance on secret handling, least-privilege use, data minimization, or storage/transmission protections. In an agent skill context, this omission is dangerous because implementers may embed the key in prompts, logs, client-side code, or send broad data to downstream tools, increasing the chance of credential leakage and unauthorized access to user data.
