Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 89% confidence
- Finding
- The skill explicitly relies on the `XAI_API_KEY` environment variable, which means it has access to environment-based secrets, yet no permissions are declared. This can mislead users and hosting systems about the skill's actual capabilities, weakening least-privilege controls and making secret exposure or unintended secret use harder to audit.
