Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 89% confidence
- Finding
- The skill clearly instructs users to run scripts that fetch RSS feeds and crawl arbitrary URLs, which implies outbound network access, yet no permissions are declared in the skill metadata. This creates a transparency and governance gap: reviewers and runtime policy systems cannot accurately assess or constrain what the skill is allowed to do, increasing the risk of unintended external access or misuse.
