Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 93% confidence
- Finding
- The skill describes file read/write behavior over a local project structure and automatic state persistence, but no explicit permissions are declared. That creates a mismatch between what the skill can do and what a user or platform policy can audit, increasing the risk of unintended local file access or modification. In this context the file operations are central to the skill’s purpose, so this appears more careless than malicious, but still a real security issue.
