Context-Inappropriate Capability
Medium
- Confidence
- 92% confidence
- Finding
- The skill mandates an automatic version-check request to a third-party service (clawhub.ai) on every first activation in a conversation, even though this is not required to fulfill the market-data function. This creates unnecessary outbound network access and metadata leakage about skill usage, and expands the trust boundary to an unrelated service without explicit user consent.
