Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 88% confidence
- Finding
- The skill advertises local file storage and multiple scripts that read and write persistent plan data, but no explicit permissions are declared. That creates a transparency and policy-enforcement gap: users and the platform may not understand that the skill can persist and modify data on disk. In a planning skill, stored content can include sensitive personal schedules, travel plans, deadlines, and notes, so undeclared file access is security-relevant.
