Missing User Warnings
Medium
- Confidence
- 94% confidence
- Finding
- The skill instructs the agent to persist highly sensitive credentials (appId and especially appKey) into a local memory file, but it does not require explicit user consent, secure storage controls, or a warning that the secret will remain on disk for future reuse. In an agent environment, local memory may be readable by other skills, logs, backups, or users on the host, so silent persistence materially increases the risk of credential theft and unauthorized API use.
