Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 95% confidence
- Finding
- The skill explicitly states that it will read an API key from an environment variable or a local key file and transmit that credential, along with user search terms, to an external service. If the platform does not declare the required permissions or data access clearly, this creates a hidden secret-access and exfiltration path that can surprise operators and violate least-privilege expectations.
