Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 95% confidence
- Finding
- The skill metadata declares required binaries and environment variables, and the examples clearly use outbound network access and an API key, but there is no explicit permissions declaration to inform the host or user of those capabilities. This weakens transparency and policy enforcement around secret access and external communication, increasing the chance that users authorize the skill without understanding it will transmit authenticated requests to a third-party service.
