Missing User Warnings
Medium
- Confidence
- 98% confidence
- Finding
- The skill defines the API token as a query parameter and later appends all query parameters directly into the request URL. Query-string credentials are commonly exposed in logs, proxies, browser/history tooling, monitoring systems, and error reports, so the token may be disclosed beyond the intended recipient even when sent over HTTPS.
