Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 95% confidence
- Finding
- The skill instructs the agent to execute multiple shell commands (`bash scripts/update-ox.sh`, `ox login`, `gh auth status`, `git config`, `claude`) and to modify local state, but it declares no permissions indicating shell/code execution. This creates a trust and consent gap: users may invoke what looks like a knowledge/query skill while it can run commands, change files, and potentially trigger login flows or installs on the host.
