Context-Inappropriate Capability
Medium
- Confidence
- 88% confidence
- Finding
- The module fetches and stores additional directory attributes such as email, mobile, department IDs, and open_id even though the stated purpose is name-to-user_id resolution. This violates data minimization and increases privacy and abuse risk because any downstream code using this module can access broader employee directory data than necessary.
