Intent-Code Divergence
High
- Confidence
- 99% confidence
- Finding
- The document embeds real-looking IMA ClientID and API key values directly in a distributable SKILL.md, contradicting its own guidance not to include secrets. Anyone with access to the file can reuse these credentials to interact with the IMA API, causing unauthorized note creation, modification, or broader account abuse depending on token scope.
