Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 95% confidence
- Finding
- The skill instructs the agent to read user files, optionally write output files, and access environment-scoped paths/scripts, but it declares no permissions or constraints. This creates a capability/permission mismatch that can lead to overbroad file access or unintended data exposure because the runtime and reviewer are not told what resources the skill needs.
