Context-Inappropriate Capability
Medium
- Confidence
- 94% confidence
- Finding
- The skill mandates `--persistent` for all new sessions, causing cookies, localStorage, and login state to be stored on disk even though simple YouTube playback does not require durable authentication state. Persisting browser data increases exposure to credential/session theft, cross-user leakage on shared systems, and unintended reuse of authenticated state by later automations.
