Context-Inappropriate Capability
Medium
- Confidence
- 92% confidence
- Finding
- The skill explicitly instructs the agent to store `agentToken` and `roomId` in persistent memory or a database, which creates a credential retention capability beyond the immediate gameplay interaction. Even if intended for reconnect/resume behavior, long-lived storage of bearer tokens increases the risk of token leakage, reuse by other skills/components, or unintended cross-session access if the storage layer is compromised or over-broadly accessible.
