Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 89% confidence
- Finding
- The skill clearly documents network access, shell execution, and file upload/write behavior, yet it declares no permissions or trust boundaries. That mismatch can cause the platform or user to underestimate what the skill can do, increasing the chance of unintended data transfer, local file access, or command execution without informed consent. In context, this skill is specifically designed to fetch remote content and upload files to a self-hosted cloud, which makes undeclared capabilities more operationally significant.
