Missing User Warnings
Medium
- Confidence
- 96% confidence
- Finding
- The skill requires an authentication token as a query parameter and later appends all query parameters directly into the URL. Query-string tokens are commonly exposed through logs, browser/history systems, monitoring tools, proxies, and referrer leakage, so placing credentials in the URL is an unsafe design even when HTTPS is used. In this skill context, the token is the primary credential for a third-party API, which makes accidental disclosure materially harmful.
