Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 94% confidence
- Finding
- The skill documentation instructs users to configure and rely on sensitive environment variables for cloud credentials, but the skill declares no permissions despite clearly requiring access to secrets in the environment. This creates a transparency and least-privilege problem: an agent or platform may expose credentials to the skill without an explicit permission boundary, increasing the risk of unintended secret access or misuse.
