Tp4
High
- Category
- MCP Tool Poisoning
- Confidence
- 97% confidence
- Finding
- The skill’s declared purpose is knowledge-base maintenance, but the instructions also authorize package installation, git initialization/commits, optional remote sync, and creation of persistent OS-level services. That scope expansion is security-relevant because it turns a content-management skill into one that can modify the host environment, establish persistence, and potentially transmit data, all without clear up-front consent boundaries.
