Missing User Warnings
Medium
- Confidence
- 98% confidence
- Finding
- The skill defines the access token as a query parameter and later appends all query parameters directly into the request URL. Query-string credentials are commonly exposed via logs, proxies, browser/history tooling, monitoring systems, and error messages, making accidental credential disclosure significantly more likely than if the token were sent in an Authorization header.
