Missing User Warnings
Medium
- Confidence
- 84% confidence
- Finding
- The README instructs users to place a long-lived Canvas API token in environment variables or a local config file, but it does not warn about token sensitivity, file permissions, shell history exposure, or accidental commits. Because Canvas tokens can grant access to course data associated with the student account, poor handling could lead to credential leakage and unauthorized access to academic information.
