Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 89% confidence
- Finding
- The skill documentation indicates capabilities to read environment variables, read local config files, and make network requests, but it does not explicitly declare permissions for those behaviors. This reduces transparency and informed consent, especially because the bundled script can read credentials from both the environment and ~/.openclaw/openclaw.json before transmitting data to a third-party API.
