Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 93% confidence
- Finding
- The skill declares no permissions while its documented behavior clearly requires reading environment variables, reading local files for batch input, and sending data over the network to a third-party API. This mismatch can mislead users and security controls about the skill's capabilities, increasing the chance that sensitive data is processed or exfiltrated without informed approval.
