Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 92% confidence
- Finding
- The skill invokes network and shell-capable behavior (`curl` to a host bridge and optional use of environment-sourced secrets) without declaring explicit permissions. That creates a transparency and policy-enforcement gap: users or orchestrators may approve the skill believing it is low-privilege when it can actually send reminder contents off-process to a listening service on the host. In this context, the bridge targets `host.docker.internal`, which increases sensitivity because it crosses the container boundary into the host environment.
