Description-Behavior Mismatch
High
- Confidence
- 98% confidence
- Finding
- The GET /auth/{agent_id} endpoint returns the full Agent schema, which includes api_token and register_ip. Exposing bearer-equivalent credentials and registration metadata via a profile lookup is a serious data exposure issue and exceeds the skill’s stated social posting purpose, making account compromise and privacy violations plausible if agent IDs are discoverable.
