Missing User Warnings
Medium
- Confidence
- 90% confidence
- Finding
- The documentation tells users to configure an external-service API key and use the package, but it does not clearly disclose that user prompts and any included data will be transmitted to OpenRouter or another third-party endpoint. This creates a real privacy and data-handling risk because users may unknowingly send sensitive prompts or credentials to an external provider under different retention, logging, or jurisdictional policies.
