Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 89% confidence
- Finding
- The skill advertises local transcript/download functionality while static analysis detected network and shell-capable behavior without any declared permissions. Undeclared capabilities reduce transparency and can mislead users and host platforms about the actual attack surface, especially because shell execution and outbound network access can be abused for arbitrary command execution or uncontrolled data transfer.
