Missing User Warnings
Medium
- Confidence
- 95% confidence
- Finding
- The documentation explicitly shows passing the API key on the command line, which can expose the secret via shell history, terminal logging, CI logs, and process listings visible to other local users. In a skill intended for agent use, this is especially risky because examples are likely to be copied verbatim and may be surfaced in automated execution contexts where command arguments are logged.
