Context-Inappropriate Capability
Medium
- Confidence
- 96% confidence
- Finding
- The skill explicitly instructs the agent to inspect the current project for existing configuration files such as .env, appsettings.json, or config locations and place API keys there. That expands the agent from guidance into secret discovery and modification of local sensitive files, which can expose credentials, alter unrelated application configuration, or normalize writing secrets into insecure locations.
