Missing User Warnings
Medium
- Confidence
- 97% confidence
- Finding
- The skill requires the API authentication token as a query parameter and then appends all query parameters directly into the request URL. Tokens in URLs are commonly exposed through logs, browser/history tooling, proxy and CDN logs, monitoring systems, and error reporting, making credential leakage more likely than if the token were sent in an Authorization header. In this skill context, the risk is real because the code is a generic API wrapper and gives no warning that the secret will be placed in the URL.
