Context-Inappropriate Capability
Medium
- Confidence
- 86% confidence
- Finding
- The agent imports and uses a subprocess execution primitive and forwards an API key from the environment to those subprocesses, but there is no manifest or other visible authorization boundary explaining why this capability is required. In a skill context, shelling out with secrets increases the attack surface because command construction, downstream tool behavior, and secret handling are harder to audit and can enable unintended external actions or credential exposure.
