Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 94% confidence
- Finding
- The skill documentation explicitly states that it writes a state file and markdown review reports, but the skill declares no permissions. This mismatch is a real security issue because consumers and policy engines cannot accurately assess or constrain the skill's side effects, increasing the chance of unauthorized file modification or writes to unexpected locations via configurable paths.
