Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 89% confidence
- Finding
- The skill documentation clearly instructs use of an external API and helper script, so the skill has network capability despite not declaring permissions. This is not inherently malicious, but the missing permission declaration weakens transparency and review controls because users and tooling may not be alerted that data is sent off-platform.
