Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 92% confidence
- Finding
- The skill documentation describes capabilities that read local files/stdin, write output files, and send prompts to a remote medical-model API, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: integrators may deploy it without realizing it can access local data and transmit sensitive mental-health content over the network, increasing the risk of data leakage or misuse.
