Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 86% confidence
- Finding
- The skill documentation clearly describes calling an external API and handling image URLs, Base64 data, and remote responses, which implies network access even though no permissions are declared. Undeclared network capability is dangerous because it weakens transparency and reviewability: users and platform controls may not realize the skill can transmit user-supplied images or prompts to a third-party service.
