Missing User Warnings
Medium
- Confidence
- 94% confidence
- Finding
- The create-paste command reads arbitrary content from --content or stdin and transmits it to a third-party remote service by default, but the code provides no inline warning, confirmation, or guardrails about sharing sensitive data. In the context of an agent handoff/pastebin skill explicitly designed to move data out of the local context window, this increases the chance that secrets, internal prompts, PII, or proprietary work product are exfiltrated to an external service unintentionally.
