Intent-Code Divergence
Medium
- Confidence
- 94% confidence
- Finding
- The script is presented as a simple ad generator, but it also searches a workspace documentation file for a Gemini API key and then uses that credential for an outbound API call. This hidden credential access is risky because it expands the script's behavior beyond its stated purpose and may cause users to unknowingly expose secrets to a third-party service.
