Missing User Warnings
Medium
- Confidence
- 94% confidence
- Finding
- The skill instructs reading a bot token from a local config file and explicitly notes that webhook tokens embedded in URLs act as authentication, but it provides no guidance on redaction, secret storage, shell history, logging, or output sanitization. This is dangerous because agents or operators may echo, log, persist, or paste these credentials, enabling unauthorized API access if exposed.
