Description-Behavior Mismatch
Medium
- Confidence
- 95% confidence
- Finding
- The skill requests the full Google Drive OAuth scope in addition to the Sheets scope even though the stated purpose is batch Google Sheets operations. This unnecessarily expands the service account's effective access, increasing blast radius if the credential is misused or leaked and enabling broader file access than users would reasonably expect from a Sheets-focused skill.
