Tp4
High
- Category
- MCP Tool Poisoning
- Confidence
- 98% confidence
- Finding
- The skill’s declared purpose is cookie-consent/GDPR banner management, but the documented behavior is a generic local logging and credential/token handling toolkit. That mismatch is dangerous because users may trust it with privacy/compliance workflows while it actually stores arbitrary inputs, including secret-like values, in plain-text logs and exposes export/search/retrieve capabilities unrelated to the stated purpose.
