Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 88% confidence
- Finding
- The skill explicitly describes a plugin that uses live OpenAI Codex OAuth usage and plugin hooks, which implies network-capable behavior, but the skill metadata does not declare any permissions or constraints around that capability. Undeclared network access is risky because users may install the skill without understanding that it can reach external services or handle remote data, reducing transparency and weakening trust and review controls.
