Scope Creep
Medium
- Confidence
- 92% confidence
- Finding
- The manifest advertises actions such as sending emails, posting to social media, and registering accounts, but only declares browser access and file read permissions. This mismatch can hide the true operational scope of the skill from reviewers and users, increasing the risk of unintended write-side actions being executed through browser automation without explicit consent boundaries.
