Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 84% confidence
- Finding
- The skill documentation describes access to API keys, SMTP credentials, and local skill data sources, but no declared permissions are present to make those capabilities explicit. This creates a transparency and governance gap: reviewers and users cannot easily understand that the skill reads environment-backed secrets and interacts with other skills' data, increasing the chance of over-privileged or unexpected execution.
