Intent-Code Divergence
High
- Confidence
- 98% confidence
- Finding
- The manifest explicitly claims agent private keys are generated locally and 'never transmitted,' but the documented authentication scheme requires sending the private key in the request body or X-Private-Key header to remote API endpoints. This is a material security contradiction because it can mislead users and integrators into treating the skill as zero-exposure when the service actually receives the secret used for authentication and possibly encryption key derivation.
