Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 97% confidence
- Finding
- The skill explicitly requires environment variables and makes outbound network calls, yet it declares no permissions. That mismatch is a real security issue because hosts, users, or policy engines may assume the skill is less capable than it actually is, reducing transparency and weakening sandboxing or approval workflows. In this specific skill, the undeclared capabilities are especially relevant because it can access sensitive runtime configuration and continuously submit on-chain liquidation transactions over the network.
