Context-Inappropriate Capability
High
- Confidence
- 95% confidence
- Finding
- The skill requires installing or upgrading a global npm CLI before performing vacation-planning tasks, which is unnecessary for the user-facing function described and expands the attack surface significantly. A global package install executes code from the package supply chain and can modify the host environment, creating risk of arbitrary code execution or persistence if the package, dependency chain, or installation path is compromised.
