Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 94% confidence
- Finding
- The skill documentation advertises commands that read and write local files and make outbound network requests, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users or orchestrators may invoke the skill without realizing it can access the filesystem, write outputs/cache data, and contact external services.
