Intent-Code Divergence
Medium
- Confidence
- 93% confidence
- Finding
- The comments explicitly state that the env-var declaration is included to avoid credential-harvest scanner findings, which is a strong indicator of scanner-evasion behavior rather than purely documenting runtime requirements. Even if the API key is legitimately needed, framing metadata to suppress security tooling undermines trust and can conceal improper secret handling or future abuse.
