Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 92% confidence
- Finding
- The skill declares runtime requirements and documents use of environment variables and an external API, but does not declare explicit permissions for environment access, file/script execution, and network use. This creates a transparency and policy-enforcement gap: hosts or users may not realize the skill can read secrets and transmit data externally, increasing the risk of unintended secret exposure or unauthorized outbound requests.
