Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 93% confidence
- Finding
- The skill instructs the agent to run `npm install` and a Node audit script against arbitrary user-supplied URLs, which clearly implies outbound network access, but the skill metadata does not declare any corresponding permission boundary. That mismatch is dangerous because it hides the skill's true capability surface from policy enforcement and user review, making SSRF-style access to internal resources or unintended data egress easier if the runtime honors the instructions.
