Context-Inappropriate Capability
Medium
- Confidence
- 92% confidence
- Finding
- The script explicitly instructs users to retrieve a live JWT from browser local storage via DevTools. That encourages manual extraction of sensitive session credentials outside a safer OAuth/API-key flow, increasing the chance of token mishandling, reuse, or leakage through shell history and local files.
