Context-Inappropriate Capability
Medium
- Confidence
- 95% confidence
- Finding
- The example returns a public gateway URL for uploaded attachment content, which can cause encrypted user attachments to become broadly accessible outside XMTP's intended delivery path. Even if payloads are encrypted, publishing stable public URLs leaks metadata, increases retention and redistribution risk, and may expose content if encryption is misused elsewhere or keys are later compromised.
