Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 92% confidence
- Finding
- The skill declares use of an environment variable and clearly wraps a client that likely performs outbound API calls, but it does not declare corresponding permissions in the skill surface. That creates a transparency and policy gap: users and reviewers may not realize the skill can access secrets and send data off-box, which increases the chance of unintended credential exposure or unreviewed network use.
