Missing User Warnings
Medium
- Confidence
- 90% confidence
- Finding
- The registration example sends the BOTHN_API_KEY to an external service in the request body without any explicit warning, consent check, or clarification that the secret leaves the local environment. This is dangerous because skills are adversarial by default, and users or agents may disclose a reusable credential to a third party without understanding the trust boundary.
