Context-Inappropriate Capability
Medium
- Confidence
- 97% confidence
- Finding
- This script implements a local man-in-the-middle style reverse proxy for authentication, rewrites Set-Cookie attributes, strips browser security headers, and captures the shimo_sid session token for storage. Even if intended to simplify login, this materially expands the skill from document export into credential interception and session handling, creating a high-risk path for session theft, misuse, or accidental exposure if the local proxy is abused or the saved token is read by other local processes.
