Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 94% confidence
- Finding
- The skill explicitly instructs the agent to make outbound HTTP requests ('Fetch the limits discovery endpoint directly' and 'fetch one of them') and even suggests using curl, fetch, or another HTTP client, but the metadata declares no permissions for network access. This creates a capability/permission mismatch that can bypass operator expectations, leading to unintended SSRF-style access to internal resources, access to sensitive local network endpoints, or policy violations if the runtime does not strictly gate egress.
