Description-Behavior Mismatch
Medium
- Confidence
- 91% confidence
- Finding
- The OpenAPI spec exposes multiplayer room creation/join operations that are outside the stated skill purpose of portfolio viewing, yield claiming, and minting. This scope expansion increases the agent's reachable attack surface and could let an invoking user or prompt chain drive the agent into unintended networked game/session behavior, including account/session handling not anticipated by the manifest.
