Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 89% confidence
- Finding
- The skill instructs use of environment variables containing an API key and calls out direct network access to a remote service, but it does not declare any explicit permissions or capability boundaries. That mismatch can cause the agent or operator to invoke networked actions and secret-bearing requests without clear review, increasing the risk of unintended data exposure or unsafe execution in environments that rely on declared permissions for enforcement.
