Context-Inappropriate Capability
Medium
- Confidence
- 98% confidence
- Finding
- The workflow explicitly instructs reading the GitCode token from local CLI config and then placing it into API URLs. Tokens in query strings are commonly exposed via shell history, process listings, logs, proxies, and error reporting, so this creates a real credential leakage risk beyond the intended API call.
