Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 94% confidence
- Finding
- The skill advertises and documents use of an API key and external API/tool execution, which implies environment-variable access and network egress, yet it declares no permissions. This creates a transparency and governance gap: users and hosting platforms may not realize the skill can access secrets and send data to third-party services, increasing the chance of unsafe deployment or misuse.
