Context-Inappropriate Capability
Medium
- Confidence
- 90% confidence
- Finding
- The skill is presented as operating on local files, but the documented startup command requires APP_ID, APP_KEY, and an API_URL, indicating local documents are sent to an external service for conversion or extraction. This creates a real security and privacy risk because users may assume processing is local and unknowingly transmit sensitive document contents over the network, potentially to an insecure or misconfigured endpoint such as plain HTTP.
