Context-Inappropriate Capability
Medium
- Confidence
- 87% confidence
- Finding
- The skill documentation states that the script automatically reads a bearer token from a local user config file to authenticate API calls. Even if intended for convenience, automatic credential access expands the skill's privileges and can expose or misuse sensitive auth material if the script is compromised, overly broad, or run in an unexpected context.
