Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Security audit
Security checks across malware telemetry and agentic risk
Evalpal is a straightforward EvalPal integration that uses a declared API key to list, run, and check evaluations.
Install this only if you want your agent to access EvalPal with your API key. Use a scoped or dedicated key if available, keep EVALPAL_API_URL on the trusted EvalPal endpoint, and remember that list/status/run output may expose project names, eval names, run IDs, and test results in chat.
fi
# Check for required tools
for tool in curl jq; do
if ! command -v "$tool" >/dev/null 2>&1; then
echo "Error: '$tool' is required but not installed"
exit 165/65 vendors flagged this skill as clean.
No suspicious patterns detected.