Missing User Warnings
Medium
- Confidence
- 89% confidence
- Finding
- The documentation instructs users to configure and store an API token locally and even shows a token example, but it does not warn that the token is a sensitive secret that must be protected, rotated if exposed, and excluded from logs, screenshots, backups, or source control. In a skill/CLI context, normalizing plaintext secret storage without caution increases the chance of credential leakage and unauthorized API access.
