Context-Inappropriate Capability
Medium
- Confidence
- 88% confidence
- Finding
- The skill provides concrete instructions and code to randomize X-Forwarded-For and X-Real-IP headers, which are commonly used for client identity, rate limiting, logging, abuse detection, and access controls. Although framed as load testing, ordinary performance testing does not require spoofing client IP metadata, and this guidance could enable evasion of IP-based defenses or produce misleading audit and observability data even in otherwise authorized environments.
