Missing User Warnings
Medium
- Confidence
- 96% confidence
- Finding
- The skill instructs the agent to write or overwrite a user-provided Semantic Scholar API key into scripts/.env without an explicit warning, consent flow, or storage-lifetime controls. Persisting credentials to disk creates a real secret-handling risk because other tools, users, logs, backups, or later sessions may access the key unintentionally.
