Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 95% confidence
- Finding
- The skill exposes sensitive capabilities including environment-variable access, filesystem writes, and network use, but does not declare permissions. That creates a transparency and governance gap: users or orchestrators may invoke a skill capable of reading credentials, placing trades, and persisting data without an explicit permission boundary. In a financial-trading context, undeclared capabilities are more dangerous because they can affect both secrets and real money.
