Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 95% confidence
- Finding
- The skill content includes shell commands, environment variable use (`LYGO_STACK_ROOT`), and filesystem read behavior, while the static finding indicates these capabilities are not declared through the expected permission model. Even though the markdown claims restrictive behavior such as 'no subprocess' and validated reads only, the documented workflow still instructs an agent to execute shell-like installation and Python commands, creating a mismatch that can lead to undeclared capability use and unsafe execution assumptions.
