Missing User Warnings
Medium
- Confidence
- 90% confidence
- Finding
- The skill instructs users to inject GOLDRUSH_API_KEY into a child process environment when launching a package fetched via npx. Environment-variable injection is common, but it increases secret exposure risk through process inspection, inherited subprocesses, shell history mistakes, logs, or execution of an unpinned third-party package version (@latest).
