Context-Inappropriate Capability
Medium
- Confidence
- 94% confidence
- Finding
- The documentation explicitly instructs users to extract a live Bunpro bearer token from browser console, network traffic, or local storage. That is a credential-harvesting pattern: even if intended for convenience, it normalizes exposing sensitive session tokens and enables any consumer of the skill to access the user's account via the unofficial API.
