Description-Behavior Mismatch
Medium
- Confidence
- 94% confidence
- Finding
- The skill is presented as a mandatory local safety checklist for system-level modifications, but it also includes unrelated instructions for publishing code to GitHub through proxies and with personal access tokens embedded in remote URLs. Mixing operational guardrails with credential-handling and network exfiltration workflows expands the skill’s scope and can normalize unsafe token usage, increasing the chance of accidental secret exposure or unauthorized code publication.
