Context-Inappropriate Capability
Medium
- Confidence
- 97% confidence
- Finding
- The skill is documented as receiving GH_TOKEN via environment injection, yet it also instructs itself and sub-agents to read tokens from local config files. That expands credential access beyond the minimum necessary scope and causes the skill to actively seek secrets from disk, including from shared bot locations like /data/.clawdbot/openclaw.json.
