Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 89% confidence
- Finding
- The skill explicitly instructs the agent to invoke local scripts that perform address lookup, plan retrieval, and URL generation, which implies external network access despite no declared permission for it. Undeclared network capability is dangerous because it hides data flows and expands the attack surface for exfiltration of user-provided address and utility data to third-party services without transparent permissioning.
