Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 94% confidence
- Finding
- The skill explicitly instructs users to run a Python script that fetches data from ESPN's API, so it has network capability even though no permissions are declared. This mismatch reduces transparency and can bypass expected permission review, but the documented use is narrow and aligned with the skill's football-score purpose rather than obviously malicious behavior.
