Missing User Warnings
Medium
- Confidence
- 95% confidence
- Finding
- The skill instructs users to extract an OAuth access token from ~/.claude/.credentials.json and place it into a plain environment file, while also stating the token is long-lived (~10 years). This materially increases credential exposure risk because users are encouraged to manually handle a durable bearer token without any explicit warning about secure storage, least privilege, or avoiding accidental disclosure in logs, shell history, backups, or repos.
