Description-Behavior Mismatch
Low
- Confidence
- 89% confidence
- Finding
- The skill documentation exposes API key management capabilities that are not disclosed in the manifest description, creating a scope mismatch between what the skill claims to do and what it can actually facilitate. This can mislead users or policy layers into approving a skill for routine email operations while it also enables creation and revocation of sensitive credentials, which could expand downstream access beyond expected boundaries.
