Context-Inappropriate Capability
Medium
- Confidence
- 94% confidence
- Finding
- The package defines a postinstall script that automatically executes local code during installation, creating a supply-chain execution point before a user intentionally runs the art tool. For a drawing skill, install-time code execution is not inherently required and increases risk because any compromise of the package or script would run on every install in the consumer's environment.
