Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 93% confidence
- Finding
- The skill invokes a Python script that reads an API key from environment variables or a local .env file and makes outbound web requests, so it clearly uses env, file-read, and network capabilities despite not declaring permissions. Undeclared capabilities weaken policy enforcement and user awareness, increasing the chance that sensitive data is accessed or transmitted without appropriate review.
