Missing User Warnings
Medium
- Confidence
- 94% confidence
- Finding
- The documentation instructs users to configure long-lived Access Key credentials or a credential-fetching URI for an MCP server, but it does not warn about secret handling, least-privilege scoping, local-only binding, or the risk of exposing a credential endpoint to other local users/processes. In an agent/MCP context, these credentials may grant broad DataWorks access, so normalizing this setup without security guidance increases the chance of credential leakage or misuse.
