Missing User Warnings
Medium
- Confidence
- 92% confidence
- Finding
- The skill asks for a Gmail app password and shows passing it via command-line arguments or environment variables, but it does not include an explicit warning about sensitive credential handling. Credentials supplied this way may be exposed through shell history, process listings, logs, or agent traces, and the skill context is more dangerous because it targets a live personal/business mailbox and bulk-downloads attachments.
