Description-Behavior Mismatch
High
- Confidence
- 96% confidence
- Finding
- The skill explicitly states that user-provided cookies and similar credentials may be transmitted to a third-party API, while also mentioning content categories such as private messages and contacts in the returned data warning. That creates a real privacy and credential-handling risk because the skill is marketed as read-only/public-or-authorized analytics, yet it normalizes sending highly sensitive session material and processing potentially non-public personal data through an external service.
