Context-Inappropriate Capability
Medium
- Confidence
- 92% confidence
- Finding
- The skill reads an AuthToken from a local file in the skills directory and automatically attaches it to outbound API requests. While this appears intended to support authenticated use of the social-media search service, it still grants the code access to a local secret that is not derived from per-request user input, increasing the blast radius if the skill or surrounding environment is compromised and creating a credential-handling risk beyond the user-facing search functionality.
