Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 94% confidence
- Finding
- The skill declares environment variables and describes file-based token caching plus outbound API calls, but it does not declare corresponding permissions. This creates a transparency and governance gap: operators may not realize the skill can read secrets, write shared cache files, and transmit data over the network, which weakens review and containment.
