Missing User Warnings
Medium
- Confidence
- 92% confidence
- Finding
- The skill explicitly enables sending private messages to third-party service providers by reusing a returned userSlug, but it does not require an explicit user confirmation step immediately before dispatching the message. This creates a risk of unintended outbound communication, spam, or disclosure of user-provided content to external parties, especially because messaging is an authenticated action tied to the user's account.
