Due to unsafe URL handling, bbot's git_clone.py can be made to leak a user's github.com API key to an attacker-controlled webserver.
A user who has placed their github.com API key in the configuration for any of the following modules:
github_codesearchgithub_workflowsgitlabgit_clonegithub_usersearchgithub_orgmay leak it to an untrustworthy server.