Missing User Warnings
Medium
- Confidence
- 96% confidence
- Finding
- The skill documentation explicitly references a concrete 1Password secret path for a Google API key, which discloses the existence, storage location, and retrieval identifier of a sensitive credential. Even without the secret value itself, this materially lowers the barrier to credential targeting, misuse by other agents/users with 1Password access, and accidental exfiltration because it normalizes direct secret retrieval in user-facing instructions without any handling safeguards.
