Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 86% confidence
- Finding
- The skill declares required binaries and environment variables and explicitly instructs writing report files and making outbound API calls, but it does not declare an explicit permissions model for those capabilities. This creates a transparency and least-privilege issue: a harness or reviewer cannot easily distinguish expected network/file/env access from overbroad behavior, increasing the chance of unintended data exposure or unsafe execution in permissive runtimes.
