Intent-Code Divergence
Medium
- Confidence
- 96% confidence
- Finding
- The script promises that voice settings are included without API keys, but its sanitization only removes secret-like fields inside nested dictionaries and does not scrub top-level keys in the TTS config. If credentials are stored at the top level or under non-matching names, they will be written into the exported bundle and may be shared unintentionally. In a persona export workflow, users are especially likely to distribute the resulting archive, which increases the risk of credential disclosure.
