Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 95% confidence
- Finding
- The skill requires an environment variable and instructs execution of a Python script that calls an external BrowserAct service, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: the agent may access secrets and transmit user-supplied queries to the network without an explicit permission model, increasing the chance of unintended data disclosure or unsafe execution.
