Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 95% confidence
- Finding
- The skill invokes shell commands, performs network access to the Whoop API, reads reference files, and writes sensitive OAuth tokens locally, yet it declares no permissions or trust boundaries. This creates a transparency and consent problem: users and hosting systems are not clearly informed that the skill can access external services and persist sensitive data on disk.
