Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 90% confidence
- Finding
- The skill documentation describes capabilities to read local session data, overwrite ~/.codex/auth.json, and invoke the codex CLI, but it does not declare corresponding permissions or clearly surface that level of access in the manifest. This can mislead users and host tooling about the skill's real trust boundary, increasing the chance that sensitive files or account state are modified without informed consent.
