Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 91% confidence
- Finding
- The skill documentation describes capabilities that perform network requests, write files, and access environment-backed execution context, but the skill declares no corresponding permissions. This creates a transparency and policy-enforcement gap: reviewers, users, or runtime controls may underestimate what the skill can do, while the script downloads remote content and stores artifacts locally.
