Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 92% confidence
- Finding
- The skill clearly requires access to a private key via environment variable or CLI argument, yet no explicit permissions are declared. This creates a transparency and consent problem: an invoking agent or user may not realize the skill consumes sensitive wallet credentials and can spend funds on-chain. In blockchain contexts, undeclared secret access is especially risky because misuse directly enables irreversible transactions and gas expenditure.
