Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 83% confidence
- Finding
- The skill documentation declares only a Bash tool and does not disclose that the implementation requires outbound network access. Hidden or undeclared network capability is security-relevant because users and policy engines may approve the skill under an incomplete understanding of what it can do, enabling unexpected external data transfer or API calls. In this context, the skill’s stated purpose does involve contacting an image-generation service, so the risk is somewhat reduced, but the lack of explicit permission declaration still weakens transparency and reviewability.
