Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 95% confidence
- Finding
- The skill requires access to sensitive environment variables and outbound network connectivity to operate, yet no declared permissions are provided. In this context, the omission is risky because the skill is explicitly designed to use a private key and connect to arbitrary Web3 dApps, which can lead to unauthorized fund movement or signing if users or platforms do not understand the required trust boundary.
