Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 92% confidence
- Finding
- The skill declares required binaries and an API key but does not declare corresponding permissions while clearly instructing network access and GitHub/file synchronization workflows. This can undermine least-privilege controls and cause the host agent to invoke a skill with broader capabilities than a reviewer or policy engine expects.
