Context-Inappropriate Capability
Low
- Confidence
- 89% confidence
- Finding
- The example render imports GSAP from a third-party CDN at runtime, which introduces a supply-chain and integrity risk: whoever controls or tampers with that dependency path can execute arbitrary JavaScript in the rendering context. In this skill's context, the file is an HTML render artifact for a captioning pipeline, so remote script loading is inconsistent with the described local/offline workflow and unnecessarily expands trust boundaries.
