Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 88% confidence
- Finding
- The skill documentation indicates access to environment-backed secrets and outbound network capabilities, but no explicit permissions are declared. In a skill that can place phone calls, use Twilio/OpenAI credentials, and expose a webhook, missing permission declarations reduce transparency and can prevent users or the platform from understanding the real trust boundary. This is especially risky because the capability set can incur charges and interact with external parties.
