Missing User Warnings
Medium
- Confidence
- 92% confidence
- Finding
- The skill instructs users to place a long-lived access token in configuration and shows a concrete token variable without any explicit warning that the token is sensitive, should be minimally scoped, and must never be logged, shared, or embedded in prompts/output. Because this skill grants access to personal and shared bookmark data, accidental disclosure of the token could let an attacker read or modify a user's collections through the agent integration.
