Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 94% confidence
- Finding
- The skill documentation indicates use of environment variables, local file reads/writes, and outbound network access, yet no explicit permissions are declared. This creates a transparency and governance gap: users or platforms may invoke a skill that exfiltrates local data to a remote API and writes chart output without clear permission signaling. In this context, the danger is increased because the skill explicitly uploads user-provided datasets off-machine to a third-party service.
