Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 88% confidence
- Finding
- The skill requires access to an environment variable containing an API key and performs outbound network requests, but the manifest does not declare explicit permissions for those capabilities. This creates a governance and transparency gap: users or platforms may not realize the skill can exfiltrate secrets or communicate externally, making review and policy enforcement weaker even if the intended functionality is legitimate web search.
