Context-Inappropriate Capability
Medium
- Confidence
- 96% confidence
- Finding
- The skill explicitly instructs the agent to read a local credentials file and use an API key for authentication, which goes beyond harmless game guidance and into sensitive secret handling. In an agent setting, normalizing direct credential access without explicit user consent or scoped secret management creates a clear path to unauthorized account actions or misuse of stored secrets.
