Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 94% confidence
- Finding
- The skill declares required binaries and environment variables but does not clearly declare permissions for network access and secret/env usage, even though it relies on outbound HTTPS requests with an API key. This weakens sandboxing and user consent because operators may not realize the skill can transmit credentials and queried data to a third-party service.
