Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 93% confidence
- Finding
- The skill declares required binaries and environment variables but does not declare explicit permissions despite clearly describing capabilities that use network access, environment secrets, and local file read/write for image editing and output generation. This creates a transparency and policy-enforcement gap: users or orchestration systems may approve the skill without understanding that it can access API keys, contact external services, read input images, and write generated files.
