Missing User Warnings
Medium
- Confidence
- 84% confidence
- Finding
- The skill instructs agents to send a secret key in HTTP headers but provides no warning about secure transport, storage, rotation, or redaction. In the provided example, the base URL uses plain HTTP, which could expose the secret to interception on non-local networks and lead to agent impersonation or unauthorized API actions.
