Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 93% confidence
- Finding
- The skill advertises and demonstrates network access (fetching remote WeChat articles) and file-writing behavior (`--output report.md`, JSON/YAML output) but does not declare permissions or constraints. Hidden or undeclared capabilities reduce user awareness and policy enforcement, making it easier for the skill to perform remote requests or write files in contexts where the user did not explicitly consent.
