Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 94% confidence
- Finding
- The skill documentation declares required environment variables, local file inputs, and outbound API/network operations, but there is no explicit permissions declaration to scope or warn about those capabilities. This can lead to over-broad execution in an agent platform, where a caller may not realize the skill can read local files, access secrets from the environment, and send data to external BytePlus/VOD endpoints.
