Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 81% confidence
- Finding
- The skill advertises only a markdown-defined analyst workflow, yet the static analysis indicates access to environment variables, filesystem read/write, and network without declared permissions. Hidden capability expansion is dangerous because it can enable exfiltration of API keys, local report data, or user inputs, and can persist or alter files outside the user’s expectation.
