Context-Inappropriate Capability
Medium
- Confidence
- 93% confidence
- Finding
- The guide shows device behavior being controlled directly by a server response field (`debug == 'restart'`) without any authentication, authorization, integrity validation, or operator-confirmation safeguards. In an IoT context, this creates a dangerous command-and-control pattern: a compromised server, spoofed response, or man-in-the-middle condition could remotely force device restarts or extend to additional privileged actions.
