Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 88% confidence
- Finding
- The skill documentation describes capabilities that use environment variables, local credential files, and networked services, but it does not declare corresponding permissions or clearly communicate them to users. This creates a transparency and consent problem: users may invoke a voice skill that accesses tokens and transmits content to local services without understanding its effective privileges.
