Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 92% confidence
- Finding
- The skill advertises and documents capabilities that access environment variables, local files, databases, external URLs, and the Notion API, but it does not declare any permissions or scope boundaries. This creates a real security governance gap: users and the platform cannot accurately understand or constrain what the skill may read, write, or send over the network, increasing the risk of unintended data exposure such as API keys, proposal documents, and database contents.
