Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 92% confidence
- Finding
- The skill clearly requires environment access to read AISA_API_KEY and network access to send authenticated requests to api.aisa.one, but it does not declare corresponding permissions. This can mislead users and security tooling about the skill's actual capabilities, reducing informed consent and weakening policy enforcement around secret use and outbound communications.
