Missing User Warnings
Medium
- Confidence
- 95% confidence
- Finding
- The guide recommends exporting the master password as an environment variable for non-interactive use without warning that environment variables may be exposed through shell history, process listings, CI logs, inherited environments, or crash diagnostics. Because this password unlocks the encrypted API-key store, disclosure could let an attacker recover fleet-management credentials and operate managed endpoints.
