I'd agree that the documentation is pretty sparse on this, but there's also a significant PEBKAC problem in this case - literally the only example in the README for the gem (and all the tests) shows it using a key that's a long hex string. The "security flaw" is a developer using a crypto library without a clear understanding of its requirements.