Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 83% confidence
- Finding
- The skill documents shell command execution (`curl`, `ffmpeg`, `sag`, `python3`, `uv`) but does not declare corresponding permissions/capabilities. That creates a transparency and policy-enforcement gap: a reviewer or runtime may underestimate what the skill can do, including network transmission and local file processing.
