Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 91% confidence
- Finding
- The skill requires access to a sensitive environment variable and makes network-backed Todoist API calls, but it does not declare permissions or capability expectations in a machine-enforceable way beyond the credential block. This can weaken security review and user awareness, increasing the risk of over-privileged execution or unintended external data access.
