Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 86% confidence
- Finding
- The skill declares itself as read-only and narrowly scoped, but it uses environment variables, file reads/writes, and network access without an explicit permission model. That gap matters because operators may trust the manifest's safety claims while the skill can still access secrets, contact remote services, and persist data locally.
