Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 88% confidence
- Finding
- The skill advertises and operationally requires sensitive capabilities—environment access for API credentials, local file reads for image input, and network access to a cloud backend—but does not declare permissions explicitly. This creates a transparency and governance gap: agents or reviewers may approve or run the skill without understanding that local files and secrets can be accessed and transmitted externally.
