Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 94% confidence
- Finding
- The skill documentation describes capabilities to read user-provided files, write output files, and call an external image-generation API, but it does not declare permissions or scope limits. This creates a real security gap because the agent may be allowed to access local content and transmit it externally without explicit least-privilege controls or user-visible consent boundaries.
