Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 92% confidence
- Finding
- The skill advertises no declared permissions while explicitly requiring access to environment variables, shell/package installation, network search APIs, and file output generation. This is a real security issue because hidden or undeclared capabilities reduce informed consent, weaken sandbox/policy enforcement, and can let an agent invoke broader access than a reviewer expects.
