Missing User Warnings
Medium
- Confidence
- 94% confidence
- Finding
- The skill instructs sending a `userId` to an external third-party API but does not warn the user that an identifier will be transmitted off-platform. Even if `userId` is not always highly sensitive on its own, it can still constitute personal or account-linked data and may create privacy, consent, and compliance issues when silently shared with an external service.
