Context-Inappropriate Capability
High
- Confidence
- 96% confidence
- Finding
- The Copilot support code searches local auth-profile files for GitHub OAuth tokens, uses them to mint fresh session tokens, and stores the refreshed token locally. That is a powerful credential-access and token-exchange capability that goes beyond a simple voting engine and can surprise users by repurposing unrelated local credentials without explicit consent.
