Context-Inappropriate Capability
Medium
- Confidence
- 98% confidence
- Finding
- The script reads a DeepSeek API key from an unrelated external file at /home/admin/.openclaw/openclaw.json, expanding its trust boundary beyond its own configuration. This creates credential-access behavior that can unintentionally harvest or reuse secrets from another tool, which is especially risky for a content generator that does not need to inspect third-party app configs to function.
