Context-Inappropriate Capability
Medium
- Confidence
- 94% confidence
- Finding
- The skill explicitly instructs reading AGENT_CONFIG.md that allegedly contains hard-coded tokens, competitor lists, output structure, and environment variables, and then sourcing a local .env file before execution. This goes beyond ordinary documentation and encourages broad credential access and local secret harvesting, which could expose sensitive data or enable unintended use of connected services.
