Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 83% confidence
- Finding
- The skill invokes a bundled Node script that performs network access and may read environment state, yet the manifest does not explicitly declare those capabilities. Undeclared capabilities undermine least-privilege review and can hide data flows or outbound requests from users and platform policy checks. In this context the functionality is expected to need network access, which lowers suspicion somewhat, but the missing declaration is still a real security transparency issue.
