Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 89% confidence
- Finding
- The skill documentation instructs users to place an API key in a local config file and use scripts that read local files and make outbound network requests, but the skill declares no permissions. That mismatch weakens least-privilege controls and can cause users or platforms to authorize a skill without understanding it can access filesystem content, environment/config secrets, and remote URLs.
