Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 89% confidence
- Finding
- The skill documentation indicates access to an environment secret (`EM_API_KEY`), outbound network use (`httpx` to a remote API), and local file output (CSV and description files), but the skill does not declare explicit permissions for these capabilities. Undeclared capabilities reduce transparency and can weaken policy enforcement, making it easier for a skill to access secrets, exfiltrate data to a remote service, or write files without users understanding the operational risk.
