Context-Inappropriate Capability
Medium
- Confidence
- 92% confidence
- Finding
- The wrapper accepts input indirectly from broad environment variables such as SKILL_USER_PROMPT, USER_PROMPT, PROMPT, and similar fields, then parses those free-form strings to locate a filesystem path and options. This expands the trust boundary beyond an explicit file argument, making it easy for unintended prompt content or orchestrator-supplied data to influence which local file gets read and OCR'd, creating a real data exposure and confused-deputy risk.
