Description-Behavior Mismatch
Medium
- Confidence
- 95% confidence
- Finding
- The skill instructs the agent to run an external package-management command (`apt install fonts-noto-cjk`) even though the skill is supposed to perform local score analysis with Python tooling. Allowing environment-modifying package installs expands the trust boundary, can change the host system, and is unrelated to the core task of analyzing spreadsheet data.
