Context-Inappropriate Capability
Medium
- Confidence
- 95% confidence
- Finding
- The spec explicitly documents that `GET /iot/info` returns LocalWeb `user` and `password` in plaintext, and the API also exposes station IPs, device IDs, and inventory data. Even though the server is intended to bind only to 127.0.0.1, it also allows `Access-Control-Allow-Origin: *`, so any local webpage, browser context, or untrusted app process able to reach loopback could harvest credentials and directly control or query IoT devices; in this skill context, that capability is core to operating the home automation environment, which makes the exposure especially sensitive.
