Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 89% confidence
- Finding
- The skill documentation describes use of environment variables, reading a local .env file, and making outbound API requests, but no explicit permission/scope declaration is surfaced in the skill content beyond runtime requirements metadata. This can lead users or orchestrators to underestimate the skill's access to local secrets and external network destinations, reducing transparency and weakening trust boundaries.
