The error messages emitted by pmm-admin should not be disclosing HTTP Auth credentials.
An example is visible in
PMM-1483, but I found it when getting a non-204 response adding mysql:queries:
Aside from it being generally undesirable, why is this particularly important? This output may be generated via automated/manual tasks and stored in logs, leaving evidence on disk. Even worse than this, the information could be sent onward to a remote destination (rsyslog, Filebeat, etc) and the credentials would be stored along with the address somewhere in the ether. That may be rather difficult to remedy, perhaps impossible under certain conditions.