Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 95% confidence
- Finding
- The skill clearly requires access to environment variables, local files, network APIs, and writes output artifacts, yet no explicit permission declaration is present in the metadata. This creates a transparency and governance gap: users or orchestrators may invoke a networked, credential-using skill without clear capability disclosure, increasing the chance of unintended secret access, local file exposure, or unsafe execution in less-trusted contexts.
