Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 85% confidence
- Finding
- The skill instructs the agent to invoke shell commands (`codexbar`, `python`) and read local files/stdin (`--input /tmp/cost.json`, `cat /tmp/cost.json`) but does not declare corresponding permissions. This creates a trust and enforcement gap: a host may treat the skill as low-privilege while it actually requires filesystem and shell access, increasing the chance of unintended command execution or local data exposure.
