Context-Inappropriate Capability
High
- Confidence
- 97% confidence
- Finding
- The skill requires a global npm installation and upgrade of a CLI before performing a simple packing-list task, which is disproportionate to the stated functionality and modifies the host environment unnecessarily. Recommending repeated global installation, and even suggesting sudo, increases supply-chain and system-integrity risk if the package, registry path, or execution context is compromised.
