Missing User Warnings
Medium
- Confidence
- 96% confidence
- Finding
- The skill asks the user to handle a Telegram bot token and a long-lived Home Assistant access token, but it does not provide a prominent warning about storage, log leakage, shell history exposure, or accidental disclosure in pasted YAML and curl commands. Because these credentials grant messaging and Home Assistant API access, mishandling them could enable account abuse or control of the user's HA instance.
