Missing User Warnings
Medium
- Confidence
- 92% confidence
- Finding
- The webhook creation example embeds a plaintext credential placeholder (`Bearer secret_token`) directly in the skill documentation without any warning not to paste real secrets into chat, logs, or examples. In this skill's context, users are explicitly guided to configure live Postmark integrations and webhooks, so normalizing inline secret handling increases the chance that real bearer tokens will be copied into unsafe places or retained in conversation history.
