Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 92% confidence
- Finding
- The skill invokes a script that uses environment variables and makes network calls, but the skill manifest does not declare corresponding permissions. This undermines transparency and consent: users may run a seemingly simple image-analysis skill without being clearly informed that it accesses secrets from the environment and communicates externally.
