Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 89% confidence
- Finding
- The skill documentation declares access to sensitive environment variables but does not clearly declare corresponding permissions or fully enumerate all secrets it expects. In a trading skill, hidden or understated env access is dangerous because operators may provide credentials without understanding the full secret exposure surface, increasing the chance of unintended secret use or abuse.
