Missing User Warnings
Medium
- Confidence
- 91% confidence
- Finding
- The README states that an API key will be automatically created and stored locally, but it does not clearly warn where it is stored, how it is protected, or the security implications of persistence on disk. Persisted credentials can be exposed through weak filesystem permissions, backups, shared machines, or accidental inclusion in logs and archives, especially in agent-based environments where users may not realize a secret is being retained.
