Missing User Warnings
Medium
- Confidence
- 90% confidence
- Finding
- The manual token bootstrap example shows users placing an app secret directly into a curl command body, which is sensitive because shell history, process inspection, logs, screenshots, and copied examples can expose the credential. In a documentation context this is not overtly malicious, but it normalizes unsafe secret-handling practices without a strong warning or safer default.
