Context-Inappropriate Capability
Medium
- Confidence
- 93% confidence
- Finding
- The `/admin-key` enable/disable operations expose a high-privilege bypass mechanism that can override normal page access restrictions for admins. In an agent-mediated workflow, enabling an admin key increases the blast radius of prompt misuse or confused-deputy behavior because subsequent API calls may access restricted content the user did not intend the agent to handle.
