Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 90% confidence
- Finding
- The manifest declares no permissions while the skill explicitly requires environment-based secrets such as SIMMER_API_KEY and, elsewhere in the file, SOLANA_PRIVATE_KEY. That mismatch weakens review and consent because operators may install or trust the skill without realizing it consumes high-value credentials for trading actions.
