Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 91% confidence
- Finding
- The skill clearly instructs the agent to use environment variables, read and write token files, and make network calls to the Miro API, yet it declares no permissions. That mismatch can bypass user or platform expectations about what the skill is capable of, reducing transparency and making sensitive actions like token handling and external API access easier to invoke without proper review.
