Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 95% confidence
- Finding
- The skill advertises operational commands that invoke shell scripts and likely read environment-based API configuration, but it declares no permissions or capability scope. This creates a transparency and control gap: users or platforms may treat the skill as low-risk while it can execute local commands and access sensitive configuration during setup and maintenance.
