Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 90% confidence
- Finding
- The skill documentation indicates use of sensitive capabilities including environment-variable access, local file read/write, and outbound network access, but it does not declare corresponding permissions. This creates a transparency and governance gap: users or the platform may not realize the skill can access API keys, read local files, write outputs, and send content to a remote OCR service.
