Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 88% confidence
- Finding
- The skill requires capabilities consistent with environment access, file read/write, and network use, but does not declare them. This weakens transparency and permission review, making it harder for users or the platform to understand that passport images and API keys may be read, stored, and transmitted externally. In a document-processing skill handling highly sensitive identity data, undocumented capabilities increase the risk of silent data exposure or overbroad access.
