Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 80% confidence
- Finding
- The skill advertises use of an environment variable (`NEAR_SKILL_KEY`) for encryption but the manifest does not declare any permissions for environment access. Undeclared access to environment data weakens transparency and can lead to broader-than-expected secret exposure if the runtime allows env reads implicitly.
