Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 92% confidence
- Finding
- The skill documentation describes use of environment variables for credentials and a Python script that performs outbound network access, but the skill does not declare corresponding permissions. This creates a transparency and governance gap: agents or reviewers may underestimate the skill's ability to read secrets and communicate externally, which increases risk of credential misuse or unreviewed data exfiltration.
