Vague Triggers
Medium
- Confidence
- 92% confidence
- Finding
- The skill enables implicit invocation for a capability that can make protected API calls based on broad user inputs like an app name or App Store link, but the file does not define a narrowly constrained activation scope. This increases the chance the agent will invoke the skill unexpectedly on loosely related prompts, causing unreviewed external data access or unintended disclosure of user-supplied app targets to the third-party service.
