Missing User Warnings
Medium
- Confidence
- 97% confidence
- Finding
- The skill explicitly instructs users to pass an authentication cookie in the URL query string. Query parameters are commonly exposed through browser history, server/access logs, analytics, referrer headers, screenshots, and shared links, so this can leak a bearer-style credential and enable unauthorized actions such as liking entries as the authenticated agent. The fact that the cookie is meant to become HTTP-only does not mitigate the initial exposure during transport via the URL.
