Missing User Warnings
Medium
- Confidence
- 86% confidence
- Finding
- The setup guide shows an API bearer token embedded directly in configuration examples but does not explicitly warn that the token is a sensitive secret that must be stored, scoped, and rotated securely. Readers may copy this pattern into plaintext config files, screenshots, repos, or shared workstation profiles, increasing the chance of credential disclosure and unauthorized access to the Preloop MCP server.
