When adding Kagi as search engine, it will save the URL with the session token in it.
Like the session link from the settings.
This means whenever I search something my session token pops up for a second. It is visible in the URL bar.
This means I basically can't use Kagi securely when people could film my screen, i.e., in public.
This happens only when adding the Kagi search engine from the browser ui (opensearch.xml). But it is the default way to add a search engine and it is "leaking" my session cookie in the GET parameters.
Users can avoid this by manually setting the search engine URL. But only if they notice it and know this stuff.
Since I am logged in, I don't need the session link there.
Note that I'm not saying it's a urgent critical security issue, but it is odd and should be changed IMO