Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 86% confidence
- Finding
- The skill documentation indicates use of environment variables, outbound network access to a third-party financial API, and local file writing, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: hosts or users may invoke the skill without understanding that it can access secrets, contact external services, and persist data locally.
