Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 86% confidence
- Finding
- The skill requires network access and an environment secret (`WERYAI_API_KEY`) but does not declare explicit permissions, which weakens installer/runtime transparency and can cause users to grant trust without understanding the actual capability surface. In this skill's context, that matters because it can call external APIs and potentially upload local images, so under-declared capabilities increase the chance of unintended data exposure or secret misuse.
