Context-Inappropriate Capability
Medium
- Confidence
- 94% confidence
- Finding
- The skill asks users to provide and store third-party credentials and API keys in a workspace file, which introduces secret-handling risk beyond simple public sentiment scanning. Because the skill is framed as scanning public feedback, collecting reusable credentials materially expands its access and breach impact if the workspace, logs, or downstream tools are compromised.
