Missing User Warnings
Medium
- Confidence
- 96% confidence
- Finding
- The scan workflow explicitly instructs sending the full SKILL.md content to a third-party API, but nowhere requires warning the user that pasted skills may contain secrets, internal URLs, tokens, proprietary prompts, or other sensitive data. In a security-scanning context this is especially risky because users may trust the tool and submit unredacted content, causing unintended data disclosure to the remote service.
