Missing User Warnings
Medium
- Confidence
- 96% confidence
- Finding
- The skill explicitly defines the API token as a query parameter and later appends all query parameters into the URL before issuing the request. Secrets in URLs are commonly exposed through logs, browser/history equivalents, proxy caches, monitoring systems, crash reports, and upstream service telemetry, so this creates avoidable credential leakage risk even though the request uses HTTPS.
