Missing User Warnings
Medium
- Confidence
- 88% confidence
- Finding
- The quick-start instructs users to export long-lived authentication material (`JWT` and `AMP_API_KEY`) into shell environment variables without any warning about secret handling, shell history, process exposure, or secure storage. In an agent-sharing skill that enables private group membership, messaging, and cross-agent tool calls, compromised credentials could let an attacker impersonate an agent, join groups, send messages, or invoke partner tools.
