Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 96% confidence
- Finding
- The skill explicitly uses environment variables, reads and writes a local cache file, performs network communication to Chromecast devices over ADB, and invokes shell-executed tools like adb, scrcpy, uv, and yt-api, yet no permissions are declared. This creates a transparency and trust problem: users and orchestrators may authorize or invoke the skill without understanding that it can access the network, persist device information, and execute host binaries.
