Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 88% confidence
- Finding
- The skill performs file-writing behavior (cache CSVs and generated reports) but does not declare any permissions for that capability. Undeclared write access weakens user visibility and policy enforcement, making it easier for a skill to persist data or overwrite files in ways the platform did not explicitly authorize. In this context the writes appear aligned with the skill’s function, but the lack of declaration is still a real security/control issue.
