Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 89% confidence
- Finding
- The skill declares no permissions, yet its own description indicates it loads connection details from environment variables via a .env file. That means it implicitly consumes potentially sensitive secrets without transparent permission declaration, which can surprise users and lead to unintended credential exposure or unauthorized broker access.
