Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 91% confidence
- Finding
- The skill clearly instructs the user to read project files and write a generated .pre-commit-config.yaml, yet the metadata shown in SKILL.md does not declare corresponding permissions. That mismatch weakens trust boundaries and informed consent: a platform or user may assume the skill is non-invasive when it can inspect repository contents and modify files.
