Description-Behavior Mismatch
Medium
- Confidence
- 89% confidence
- Finding
- The skill documentation claims it is 'not for HTTP-only proxying' and emphasizes secure private exposure, but the commands directly start a gateway and map remote hostnames to local IPs, which is functionally API exposure/proxying. This mismatch can mislead operators about the exposure model and trust boundary, increasing the chance they publish sensitive local services under weaker assumptions than intended.
