Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 91% confidence
- Finding
- The skill clearly requires sensitive capabilities including environment access for admin credentials, file interaction via local scripts, and network access to an administrative REST API, yet it declares no permissions. This creates a transparency and governance gap: operators and users cannot accurately assess what the skill can access before use, increasing the risk of over-privileged deployment and unintended credential or infrastructure exposure.
