Vague Triggers
Medium
- Confidence
- 94% confidence
- Finding
- The manifest defines a network request that can fetch and potentially act on remote content, but it provides no trigger scope, activation constraints, or user-consent boundaries. In this file, that risk is amplified by the request targeting a raw GitHub install script and including a hard-coded API key header, creating a broad, potentially abusable outbound request capability with unclear invocation conditions.
