Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 91% confidence
- Finding
- The skill declares runtime requirements for Python and an environment secret (`BROWSERACT_API_KEY`) and is intended to call an external API, but it does not declare explicit permissions for those capabilities. This creates a transparency and governance gap: an orchestrator or reviewer may not realize the skill can access secrets and make outbound requests, which increases the risk of unintended data exposure or execution in contexts where those capabilities should be restricted.
