Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 91% confidence
- Finding
- The skill documentation instructs use of an environment variable (`AMAP_API_KEY`) and outbound network access to the Amap API, but no explicit permissions are declared. That creates a real security governance gap: the runtime may allow secret access and external requests without transparent review, making it harder to enforce least privilege and detect misuse if the skill is modified or behaves unexpectedly.
