Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 84% confidence
- Finding
- The skill explicitly requires calling multiple external platform APIs to retrieve real-time hotel data, which implies network access, yet no corresponding permission declaration is present. This creates a governance and transparency gap: the runtime may grant broader access than users or reviewers expect, and the skill could make outbound requests to third-party services without clear authorization boundaries.
