Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 94% confidence
- Finding
- The skill documentation clearly indicates use of environment variables for an API key, local file upload, writing results to disk, and network transmission to a remote cloud service, yet no explicit permissions are declared. This creates a transparency and policy-enforcement gap: users or platforms may not be able to accurately evaluate or constrain the skill's access to sensitive files, credentials, and outbound data flows.
