Missing User Warnings
Medium
- Confidence
- 97% confidence
- Finding
- The script reads KEYAPI_TOKEN using readline.question(), which echoes the token to the terminal as the user types. This can expose the secret to shoulder-surfing, terminal recording/logging tools, or shared session history, and the script does not warn users that input will be visible. In this skill context, the script is specifically for API credential setup, so handling secrets safely is a core requirement and the issue is more significant than in non-sensitive input flows.
