Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 90% confidence
- Finding
- The skill advertises access to environment variables and networked Google Calendar sync, but does not declare any explicit permissions or trust boundaries. This creates a real security gap because a caller or platform may not realize the skill can access OAuth secrets and perform external sync operations, increasing the chance of over-privileged execution and accidental secret exposure.
