Context-Inappropriate Capability
Medium
- Confidence
- 92% confidence
- Finding
- The skill instructs the agent to source credentials from a local file and environment, then later persist a user-provided API key to disk. Accessing and storing secrets is security-sensitive behavior, and the manifest does not clearly disclose this capability or constrain when it should occur, creating risk of unnecessary secret handling and expansion of access beyond the immediate task.
