Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 91% confidence
- Finding
- 技能文档声明的权限与实际能力不一致,会削弱平台和用户对该技能行为边界的判断,导致文件读写与外联等高风险操作在缺乏充分披露下发生。对于涉及支付、订单文件和远程服务的技能,这种低披露会放大误用和数据暴露风险。
Security audit
Security checks across malware telemetry and agentic risk
This paid article service is mostly coherent, but it handles payment credentials and possible publishing actions with under-scoped and misleading security controls.
Install only if you trust the provider and are comfortable sending article requests and payment credentials to its backend. Avoid real paid use or WeChat publishing until the provider uses verifiable HTTPS, documents credential/account handling and data retention, fixes the success-status bug, and adds explicit review/confirmation before publishing-related actions.
56/56 vendors flagged this skill as clean.
No suspicious patterns detected.