Description-Behavior Mismatch
Medium
- Confidence
- 92% confidence
- Finding
- The script persistently writes KEYAPI_TOKEN into the user's shell startup profile, causing the credential to be loaded into future shells outside the immediate task scope. Persisting secrets in broadly sourced profile files increases exposure to accidental disclosure, unintended reuse by unrelated processes, and profile-file tampering risks, especially since the skill's stated purpose is Pinterest analysis rather than system-level shell configuration.
