Context-Inappropriate Capability
Medium
- Confidence
- 98% confidence
- Finding
- The skill hard-codes and instructs use of a built-in API key, causing agents to automatically attach a credential to outbound requests even when the user did not explicitly provide one. This creates credential-handling behavior, normalizes secret reuse across deployments, and can lead to abuse, rate-limit exhaustion, attribution leakage, or accidental propagation of the key into logs and downstream systems.
