Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 93% confidence
- Finding
- The skill invokes local Node.js scripts that use network access and optional environment variables, but the skill metadata does not declare corresponding permissions or capabilities. This weakens platform-level security review and user awareness, because a seemingly harmless research skill can silently reach external services and consume secrets such as API keys.
