Context-Inappropriate Capability
Low
- Confidence
- 88% confidence
- Finding
- The documentation explicitly states that `TCED_PAN_DOMAIN` and `TCED_BASE_PATH` determine where all API requests, including OAuth2 token traffic, are sent, and that these values are persisted to `~/.tced-mcp/auth.json`. This creates a real security risk because if those environment variables are misconfigured or attacker-controlled, access and refresh tokens could be sent to an untrusted endpoint and the unsafe configuration would survive across sessions.
