Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 93% confidence
- Finding
- The skill invokes shell commands via curl but does not declare corresponding permissions, which weakens the platform's ability to gate or review outbound execution behavior. In this skill, shell access is used to contact an external API and could transmit user-supplied identifiers, tasks, wallet addresses, or metadata without an explicit capability declaration.
