Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 95% confidence
- Finding
- The skill explicitly states it uses HTTP to fetch external RSS feeds, which is a network capability, but the metadata only declares a Python runtime requirement and no corresponding permission or capability declaration. Undeclared network access weakens security review and policy enforcement because an agent or platform may invoke a skill with broader behavior than its manifest suggests.
