Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 88% confidence
- Finding
- The skill declares required environment variables and clearly relies on outbound network access to a third-party API, but the skill manifest does not declare equivalent permissions/capabilities. This creates a transparency and governance gap: users may not realize the skill can access secrets and transmit data externally, which undermines informed consent and policy enforcement.
