Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 94% confidence
- Finding
- The skill documentation describes capabilities that require network access, filesystem reads/writes, and use of environment-provided API keys, but it does not declare permissions for those operations. Undeclared capabilities are dangerous because they hide the real trust boundary from users and policy enforcement, increasing the chance the skill is run with broader access than reviewers expect.
