Missing User Warnings
Medium
- Confidence
- 91% confidence
- Finding
- The README instructs users to place a WordPress application password in a .env file and then export it into the shell environment, but it does not clearly warn that this credential is sensitive, should never be logged or committed, and may be exposed through shell history, process inspection, CI logs, or inherited subprocess environments. In an agent-skill context, this is more dangerous because automation frameworks commonly capture environment variables, command transcripts, and debugging output, increasing the chance of credential leakage.
