Context-Inappropriate Capability
Medium
- Confidence
- 97% confidence
- Finding
- The custom overlay feature reads attacker-controlled HTML/CSS/JS fragments and injects them verbatim into the generated index.html, explicitly allowing arbitrary JavaScript execution in the render environment. In this skill context, that is more dangerous because the feature is presented as routine video post-production, but it can load remote resources, exfiltrate local data accessible to the renderer, or abuse any browser/Node integration present in HyperFrames during rendering.
