Context-Inappropriate Capability
Low
- Confidence
- 83% confidence
- Finding
- The code interactively collects a bearer token and persists it in plaintext to a local .env file without warning or permission controls. This creates credential exposure risk if the project directory is shared, committed, or readable by other local users/processes.
