Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 92% confidence
- Finding
- The skill invokes Python scripts that read an environment variable and make outbound network requests, but the skill metadata does not declare those capabilities. Undeclared env/network access weakens policy enforcement and user/operator visibility, which can lead to unintended data exposure or execution in contexts that assumed the skill was inert or fully constrained.
