Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 92% confidence
- Finding
- The skill invokes `uv` to install/use `youtube-transcript-api` and fetch YouTube transcripts, which necessarily performs outbound network access, but the skill metadata does not explicitly declare a corresponding permission. This creates a transparency and policy gap: users or security controls may underestimate the skill's external communication behavior, making review and enforcement harder.
