Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 90% confidence
- Finding
- The skill metadata declares runtime requirements for environment variables and binaries, and the workflow clearly instructs running Python scripts that call an external API, yet there is no explicit permissions declaration to inform or constrain those capabilities. This creates a transparency and governance gap: users and platforms may not realize the skill can access secrets, execute shell commands, and make network requests, increasing the risk of unintended data exposure or unsafe execution.
