Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 89% confidence
- Finding
- The skill declares access to secrets and an MCP endpoint but does not declare explicit permissions, which weakens governance and makes it easier to deploy the skill with broader capabilities than reviewers expect. In this context, the skill can read environment-provided credentials and drive live Odoo write operations, so missing permission declarations materially reduce transparency and increase the chance of unauthorized or unsafe use.
