Missing User Warnings
Medium
- Confidence
- 94% confidence
- Finding
- The quick start instructs users to export a long-lived API key into a shell environment and immediately use it, but it does not warn about common exposure risks such as shell history, shared terminals, process inspection, CI logs, or multi-user environments. In an agent marketplace context, compromise of this credential could let an attacker impersonate the agent, poll events, manage listings, and accept or complete marketplace actions.
