Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 93% confidence
- Finding
- The skill invokes shell commands (`curl`) and therefore has execution/network capabilities that are not explicitly declared or warned about. This is dangerous because the skill will transmit the user's public IP and related metadata to third-party services, creating an undeclared privacy and capability boundary that users and policy controls may not expect.
