Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 93% confidence
- Finding
- The skill documentation shows it uses environment variables and network access to send WeCom messages, yet no permissions are declared. This creates a transparency and policy-enforcement gap: an agent or platform may invoke a skill with capabilities the user did not explicitly approve, enabling outbound data transmission and secret use without clear consent.
