Missing User Warnings
Medium
- Confidence
- 95% confidence
- Finding
- The skill explicitly instructs users to extract an OAuth access token from a local credentials store and copy it into another environment file, but it does not warn that this token is sensitive bearer credential material. Because the token is described as long-lived and is moved into a reusable config path, accidental disclosure through shell history, logs, dotfile sync, screenshots, or source control becomes much more likely.
