Missing User Warnings
Medium
- Confidence
- 98% confidence
- Finding
- The skill requires an authentication token as a query parameter and then appends it into the request URL. Query-string secrets are routinely exposed via logs, browser history, proxy caches, monitoring systems, and error reporting, making credential leakage more likely than if the token were sent in an Authorization header. In this skill context, the risk is real because the code is specifically designed to call a third-party API over the network and provides no warning that the token will be embedded in the URL.
