Context-Inappropriate Capability
Medium
- Confidence
- 96% confidence
- Finding
- The skill explicitly instructs the agent to fetch remote content at runtime and then treat that fetched content as authoritative rules and output instructions. This creates a supply-chain and prompt-injection risk: whoever controls or compromises the remote document can change the skill’s behavior, expand scope, or inject unsafe instructions without any local review or version pinning.
