Context-Inappropriate Capability
Medium
- Confidence
- 93% confidence
- Finding
- The skill directs the agent to probe multiple filesystem locations, including project, XDG config, and the user's home directory, for EXTEND.md before doing its main task. Even if intended for loading preferences, this expands access beyond user-provided content and can disclose existence or contents of files in sensitive areas of the local environment, which is unnecessary unless the user has explicitly opted into that behavior.
