Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 88% confidence
- Finding
- The skill declares no permissions, yet the content clearly indicates it reads local files and environment-backed secrets, including a hardcoded path to a .env file. That creates an authorization and transparency gap: users and the platform may treat the skill as harmless image generation while it can access sensitive local resources.
