Missing User Warnings
Medium
- Confidence
- 83% confidence
- Finding
- The skill requires a user authentication token to be sent as a query parameter in a network request, but the manifest provides no user-facing warning or safer handling guidance. Query-string credentials are commonly exposed in logs, browser history, monitoring systems, and intermediary infrastructure, increasing the risk of credential leakage even when HTTPS is used.
