Missing User Warnings
Medium
- Confidence
- 98% confidence
- Finding
- The skill transmits the authentication token as a URL query parameter (`token`), which is commonly logged by intermediaries such as reverse proxies, browser history, CLI history wrappers, observability systems, and backend access logs. Even though the request uses HTTPS, query-string secrets have a much larger exposure surface than headers or request bodies, making accidental credential disclosure significantly more likely.
