Intent-Code Divergence
Medium
- Confidence
- 98% confidence
- Finding
- The documentation explicitly recommends placing the API key in the WebSocket URL query string for browser use. Query parameters are commonly exposed through browser history, logs, reverse proxies, monitoring tools, referrer leakage patterns, and support/debug artifacts, so this increases the chance of credential disclosure even when TLS is used. In this skill context, the API key grants access to a taker trading API, so credential leakage could enable unauthorized access to order status, cancellation flows, and related trading actions.
