Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 87% confidence
- Finding
- The skill declares required environment variables and instructs runtime network access to external API endpoints, but it does not declare corresponding permissions. This creates a capability/permission mismatch that can undermine platform security assumptions, cause overbroad execution in environments that infer trust from declarations, and make review harder because secret and network usage is not explicitly surfaced.
