Missing User Warnings
Medium
- Confidence
- 92% confidence
- Finding
- The quick-start instructs users to pass an API key directly on the command line using `posteahora auth --key pah_live_xxxxxxxx`. Secrets entered this way are commonly exposed through shell history, process listings, terminal recordings, and shared documentation snippets, which can lead to account compromise if a real key is used. In a publishing CLI context, the key likely grants access to connected social accounts, making accidental disclosure more consequential.
