Context-Inappropriate Capability
Medium
- Confidence
- 97% confidence
- Finding
- The script executes `npm install form-data --no-save` at runtime via `execSync`, which introduces supply-chain and arbitrary command execution risk into normal operation. Even though the package name is fixed, installing code on demand means unreviewed package lifecycle scripts may run and the environment is modified during use, which is unsafe for an agent skill.
