Missing User Warnings
Medium
- Confidence
- 93% confidence
- Finding
- The README explicitly shows sending an Authorization header to a remote endpoint, but gives no warning that credentials will be transmitted to whatever URL the user supplies. In a skill centered on checking arbitrary URLs, this is risky because users may test untrusted or mistyped destinations and inadvertently disclose bearer tokens.
