Context-Inappropriate Capability
Medium
- Confidence
- 95% confidence
- Finding
- The manifest declares a dependency on the external binary `curl`, which is not justified by the stated purpose of a local breathing exercise skill. Unnecessary network-capable tools expand the attack surface by enabling outbound requests, remote content retrieval, or data exfiltration if later invoked by the skill or related tooling.
