Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 90% confidence
- Finding
- The skill clearly describes network access, shell execution, and local file writes for OAuth, exports, uploads, and token/cache storage, but these capabilities are not declared in the manifest as permissions. Undeclared sensitive capabilities weaken user/operator understanding of what the skill can do and reduce the effectiveness of policy enforcement or review.
