Missing User Warnings
Medium
- Confidence
- 91% confidence
- Finding
- The README explicitly tells users to copy a gateway authentication token into Lyra's environment, but it does not warn that this token is sensitive, should be scoped minimally, and must not be committed, logged, or shared. Because Lyra is a separate sidecar app connecting as an operator to OpenClaw, compromise of that environment or accidental exposure of the token could grant unauthorized access to the user's agent or gateway.
