Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 88% confidence
- Finding
- The skill documentation describes a tool that scans outbound content for secrets and private identifiers, which inherently implies reading files and potentially inspecting environment-derived content, yet the skill declares no permissions. This mismatch is dangerous because it can cause operators or policy engines to under-trust the actual access the skill requires, weakening least-privilege review and enabling broader-than-expected data exposure during use.
