Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 90% confidence
- Finding
- The skill requires access to environment variables, network, and local file writes, but it does not declare these permissions explicitly. This creates a transparency and governance gap: operators may execute the skill without understanding that it can read cloud credentials from the environment, contact external services, and persist artifacts locally. In a cloud-management skill, undeclared capabilities are especially risky because they can expose sensitive credentials or enable unreviewed outbound requests.
