Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 91% confidence
- Finding
- The skill advertises operational steps that use environment variables, network access, and shell/PowerShell execution, but it does not declare those capabilities or permissions. That mismatch weakens security review and informed consent, making it easier for a user or host system to invoke code with broader access than expected, especially because it installs dependencies and asks for an API key in a local `.env` file.
