Context-Inappropriate Capability
Medium
- Confidence
- 92% confidence
- Finding
- This file implements a standalone TOTP generator that can ingest authentication secrets from environment variables or local JSON files, enabling the skill to handle MFA material unrelated to its declared Gemini web interaction purpose. In the context of an agent skill, this expands capability into credential processing and could be used to facilitate account access, session continuation, or exfiltration of 2FA secrets if invoked inappropriately.
