Missing User Warnings
Medium
- Confidence
- 97% confidence
- Finding
- The skill sends the API access token as a URL query parameter (`token`), which is commonly exposed in logs, browser history, intermediary proxies, monitoring systems, and error messages. In this skill, the token is appended directly to the request URL, making accidental credential leakage materially more likely even though the transport uses HTTPS.
