Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 89% confidence
- Finding
- The skill documentation directs use of environment variables, persistent configuration writes, and external API calls, but no explicit permission declaration or user-facing consent boundary is present. This increases the risk that the skill will access local config and transmit user-supplied image data or secrets to an external service without adequate transparency or enforcement.
