Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 83% confidence
- Finding
- The skill explicitly instructs the agent to invoke a Python script that fetches live ESG data, which implies network access, yet no permissions are declared. Undeclared network capability weakens security review and user/admin visibility into what the skill can access, creating risk of unexpected outbound requests or later capability creep.
