Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 88% confidence
- Finding
- The skill documentation instructs users to run a Node.js CLI and references environment-based cloud credentials, but the skill declares no permissions. That creates a transparency and governance gap: users or orchestration systems may treat the skill as low-risk while it can access environment configuration and potentially sensitive credentials at runtime.
