Missing User Warnings
Medium
- Confidence
- 95% confidence
- Finding
- The documentation directs users to place highly sensitive OAuth client secrets, access tokens, usernames, and passwords into a plain `.env` file, but provides no warning about secure storage, file permissions, or exclusion from version control. In an agent skill context, this is more dangerous because users may follow the instructions mechanically and expose reusable credentials to local compromise, shell history, backups, or accidental commits.
