Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 94% confidence
- Finding
- The skill declares environment variables and its metadata references a Python script, but there is no explicit permissions section describing access to network, files, and secrets. That mismatch can mislead operators and agents about the skill's effective capabilities, especially because it sends sensitive face media and API credentials to a cloud backend in a high-sensitivity eKYC context.
