Context-Inappropriate Capability
Medium
- Confidence
- 95% confidence
- Finding
- The client automatically searches for an API key in environment variables and in local files outside the immediate script, then uses whatever it finds for outbound requests. This creates an unnecessary secret-discovery capability relative to a customs query client and can cause unintended credential harvesting or cross-skill secret reuse, especially in shared workspaces.
