Missing User Warnings
Medium
- Confidence
- 84% confidence
- Finding
- The API key is placed in the URL query string, which can be exposed through logs, proxies, browser/history-like tooling, monitoring systems, or error messages even when HTTPS is used. This is especially relevant for agent integrations where command invocations and request URLs are often captured for debugging or telemetry.
