Missing User Warnings
Medium
- Confidence
- 98% confidence
- Finding
- The documentation instructs developers to place a long-lived API key into client-side React environment variables and pass it directly into a browser provider. In CRA/Vite, these variables are bundled into the frontend and are trivially recoverable by any user of the app, enabling unauthorized API use, account abuse, and billing/credit theft; in a React SDK skill, this context makes the issue more dangerous because consumers are likely to copy the example verbatim into production.
