Overbroad tool context
An MCP client may operate with wide local visibility across files, processes, and tools. If credentials are also sitting in the environment, the model-facing context becomes needlessly rich in sensitive material.
Threat surface
MCP clients and other tool-using agents need tighter credential boundaries, not looser ones.
If secret handling is reduced to a set of environment variables, the agent inherits a broad and poorly described surface area.
Ambiguous credential selection
When multiple tokens exist for similar services, weak labels or env names can cause an agent to choose incorrectly. That creates reliability and security problems at the same time.
Leakage through tool output
Tool calls, command output, traces, and debugging artifacts can all become paths for accidental secret disclosure if raw credentials are directly available to the agent process.
Design response
What KeyLore changes.
Metadata for discovery
KeyLore gives agents a structured metadata layer for finding the right credential based on purpose and scope rather than direct access to token values.
Brokered access for use
Instead of assuming the model should possess the secret, KeyLore routes usage through a brokered access pattern that keeps raw values separate from the AI-facing interface.