Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 94% confidence
- Finding
- The skill explicitly instructs the agent to execute a shell script (`bash scripts/diagnose.sh`) and even supports `--fix`, but the metadata declares no permissions. This creates a trust and review gap: users and enforcement systems are not clearly informed that the skill can run commands and modify the host system, which is especially risky for a diagnostics skill that touches services, permissions, logs, and channels.
