Missing User Warnings
Medium
- Confidence
- 98% confidence
- Finding
- The README explicitly instructs users to supply the API token via a command-line flag, which can expose the secret through shell history, process listings, logging, CI output, or screenshots. Because this is a developer-facing usage pattern for a real external API credential, the risk is practical and the documentation normalizes an unsafe secret-handling practice.
