Missing User Warnings
Medium
- Confidence
- 86% confidence
- Finding
- The documentation tells users to place a long-lived GitLab access token in a local `.env` file but does not warn that this file must be protected from accidental disclosure, logging, backups, or source control commits. In a polling automation skill with API write access, token compromise could let an attacker read repository data and post comments or notes across accessible GitLab projects.
