Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 92% confidence
- Finding
- The skill documentation explicitly requires secrets in environment variables (`TQ_USERNAME`, `TQ_PASSWORD`) while declaring no permissions, creating a mismatch between documented behavior and declared security boundaries. This can lead to overbroad or implicit secret access, reduced user visibility into what sensitive data the skill needs, and weaker review/auditing of credential handling.
