Description-Behavior Mismatch
Medium
- Confidence
- 92% confidence
- Finding
- The README documents an endpoint that executes widget server code (`POST /api/widgets/:slug/execute`) even though the skill is framed as a dashboard/widget manager. In an agent-integrated system where widgets may be created from natural language or imported packages, this materially expands scope into arbitrary code execution and creates a dangerous trust boundary if untrusted widget definitions can reach that endpoint.
