Missing User Warnings
Medium
- Confidence
- 97% confidence
- Finding
- The skill explicitly recommends passing an authentication cookie in the URL query string so the server can set a session cookie. URL query parameters are commonly exposed via browser history, server/access logs, reverse proxies, analytics, referrer headers, screenshots, and copied links, so this guidance can leak a bearer credential and enable account/session hijacking. In this context, the risk is elevated because the cookie is intended for authentication and the pattern is presented as the recommended approach for agent browsers.
