Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 86% confidence
- Finding
- The skill advertises networked API routing and external service integration, while the static analysis indicates capabilities such as env, file read/write, and network are present without any declared permissions. This creates a transparency and trust problem: users may invoke a skill that can access local resources or secrets beyond what its manifest communicates, increasing the risk of unintended data exposure or unauthorized outbound requests.
