Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 84% confidence
- Finding
- The skill documentation describes use of environment variables and network access, but no explicit permissions are declared. That creates a transparency and governance problem: users and platforms cannot clearly assess that the skill will access secrets and make outbound requests before use. In this context, the risk is moderate because the skill is explicitly API-driven, but undeclared capabilities still increase the chance of unintended secret exposure or unreviewed network behavior.
