Context-Inappropriate Capability
High
- Confidence
- 99% confidence
- Finding
- The skill documentation and metadata expose a concrete Tavily API key directly in the repository content, including configuration examples and environment variable instructions. This creates an immediate credential leakage risk because anyone with access to the skill file can reuse the key, consume paid API quota, impersonate the service account, or pivot into related systems if the key has broader scope.
