Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 84% confidence
- Finding
- The skill requires access to a sensitive environment variable (`LINEAR_API_KEY`) and executes a bundled Node CLI, but the skill file does not declare an explicit permissions model beyond metadata requirements. That gap can cause agents or users to invoke code with credential access without clear least-privilege boundaries or consent semantics, increasing the chance of unintended secret exposure or misuse.
