Missing User Warnings
Medium
- Confidence
- 95% confidence
- Finding
- The skill explicitly instructs the agent to persist the returned `api_key` in `memory/prompt-university.json`, which is a plaintext local state file. Storing bearer tokens unencrypted increases the risk of credential theft through local file disclosure, workspace syncing, logs, backups, or other skills/tools with filesystem access; the skill's own warning not to send the key elsewhere does not mitigate local exposure.
