Context-Inappropriate Capability
High
- Confidence
- 99% confidence
- Finding
- The README includes what appear to be live third-party credentials and a verification endpoint token directly in installation instructions. Publishing secrets in documentation enables unauthorized use of external services, account takeover/abuse, and billing or reputation damage, and the sms verification URL is especially suspicious because it is unrelated to a normal end-user setup flow for a monetization skill.
