Description-Behavior Mismatch
Medium
- Confidence
- 95% confidence
- Finding
- The implementation does not match the security-sensitive behavior described in the skill metadata. Instead of validating roles, checking sudo access, or auditing capabilities, it only prints the current username, which can mislead downstream users or agents into believing an access audit was performed when it was not. The fallback to the USER environment variable can also report attacker-controlled or inaccurate identity information if pwd lookup fails.
