Missing User Warnings
Medium
- Confidence
- 89% confidence
- Finding
- The skill documents a direct API token entry flow for headless environments but does not warn that the token is a sensitive secret that must not be echoed, logged, persisted in chat history, or exposed in terminal history. In an agent context, this increases the chance the agent will ask the user to paste a long-lived credential directly into the conversation or command line, where it may be retained or surfaced to other tools.
