Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 92% confidence
- Finding
- The skill declares environment variables and documents execution of a Python script that reads local media files and sends results to a cloud backend, which implies env, file_read, and network capabilities without an explicit permissions declaration. This creates a transparency and governance gap: agents or platforms may under-enforce policy, and users may not understand that sensitive KYC media and API credentials are being accessed and transmitted off-host.
