Missing User Warnings
Medium
- Confidence
- 91% confidence
- Finding
- The documentation explicitly recommends long-lived PATs for automation and shows passing tokens via an inline environment assignment and a `--token` CLI flag without warning about secret exposure. In agent, CI, and multi-user shell contexts, command-line arguments and shell history/process inspection can leak credentials, and long-lived tokens increase the blast radius if exposed.
