Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Security audit
Security checks across malware telemetry and agentic risk
This skill is a local note-vault assistant with disclosed local writes, Ollama use, and git commits, and it explicitly limits publishing or pushing without consent.
Install only if you are comfortable letting an agent read and write the configured local vault and create local git commits there. Keep secrets out of the vault, use local Ollama unless you explicitly approve a remote model endpoint, and do not approve git push, publishing, or permaweb actions unless you have reviewed the resulting content.
- Cloud-only Kimi/Claude as primary (optional fallback only) - Autonomous overnight `/dream` v1 (not shipped — build after ingest+index stable) - Auto `git push`, ClawHub publish, or kernel egg plant without consent ## Setup
65/65 vendors flagged this skill as clean.
No suspicious patterns detected.