Context-Inappropriate Capability
Medium
- Confidence
- 92% confidence
- Finding
- The skill explicitly reads an authentication token from the user's WSL config and places it into a browser URL. Even if intended to open a local dashboard, this is credential handling that increases exposure through process arguments, browser history, logs, screenshots, and copied URLs; the launcher role does not clearly justify taking custody of the token this way.
