Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 88% confidence
- Finding
- The skill instructs the agent to use environment secrets (`SIMMER_API_KEY`, `WALLET_PRIVATE_KEY`) and make network requests to external APIs, but it does not declare those capabilities/permissions. That creates a transparency and policy gap: a user or platform may invoke a skill that can access sensitive credentials and perform live trading/network actions without an explicit permission boundary.
