Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 82% confidence
- Finding
- The skill advertises access to environment-derived configuration such as `XHS_CDP_URL` but does not declare corresponding permissions. Undeclared capability use weakens reviewability and least-privilege controls, making it easier for a skill to consume runtime configuration or endpoints without explicit operator awareness.
