Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 95% confidence
- Finding
- The skill clearly declares access to an environment secret (`SALESFLARE_API_KEY`) and instructs use of local scripts that perform network requests, but the analyzer indicates these effective capabilities are not reflected as explicit permissions. This mismatch weakens security review and sandboxing because consumers may underestimate that the skill can read secrets, invoke shell/Python, access files, and send authenticated requests to an external API.
