Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 86% confidence
- Finding
- The skill declares no permissions while its documented behavior and referenced script imply access to environment secrets, local files, and outbound network calls. This creates a transparency and governance problem: users and platforms may authorize or invoke the skill without understanding it can read `APICLAW_API_KEY`, access reference files, and contact external services.
