Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 87% confidence
- Finding
- The skill documentation instructs the model to read environment-backed configuration, persist API keys, and call external network APIs, but no explicit permission declaration or user-facing capability disclosure is present. This weakens transparency and policy enforcement around network access, local secret handling, and file writes, making misuse or overreach harder to detect.
