Missing User Warnings
Medium
- Confidence
- 90% confidence
- Finding
- The skill tells users to save a long-lived API key in a predictable plaintext path under ~/.config without advising restrictive filesystem permissions, encryption, or secret-store usage. On multi-user systems, shared environments, backups, logs, or malware-compromised hosts, that token could be stolen and used to impersonate the agent, claim jobs, rotate keys, or manipulate account activity.
