Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 89% confidence
- Finding
- The skill requires an environment secret and explicitly invokes a remote report service, but it does not declare corresponding permissions in a user-visible way. This creates a transparency and governance gap: the skill can access sensitive credentials and make outbound network requests without clear permission metadata, making review, policy enforcement, and user trust weaker.
