Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 93% confidence
- Finding
- The skill documentation describes code that performs outbound network access to multiple public Ethereum RPC and explorer endpoints, but no corresponding permissions are declared. This creates a security and governance gap: reviewers and runtime policy engines may not understand that the skill can contact external services, potentially exposing metadata, enabling unvetted data flows, or bypassing expected approval controls.
