Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 90% confidence
- Finding
- The skill documentation describes concrete capabilities to read local files, write output files, and send sensitive medical report content to a remote API, yet no permissions are declared. This creates a transparency and governance gap: operators may run the skill without understanding that protected health information can leave the local environment and be written to disk, increasing privacy, compliance, and data leakage risk.
