Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 84% confidence
- Finding
- The skill advertises access to environment variables and shell-capable behavior but does not declare corresponding permissions. In this context, that matters because the skill explicitly uses an API key for revocation and relies on external tooling, so undeclared env/shell capability weakens transparency and can lead users to authorize or execute higher-risk behavior without clear notice.
