Intent-Code Divergence
Medium
- Confidence
- 91% confidence
- Finding
- The skill documentation describes image input in a narrower way than the provided implementation, which accepts remote URLs and fetches them server-side with requests.get(). That mismatch can hide SSRF-like behavior, unexpected outbound network access, and privacy exposure because a user or downstream agent may assume only local files are processed when the code can retrieve arbitrary remote content.
