That’s definitely part of the solution to limit the risk, but it does not eliminate it. That’s exactly something the tool demonstrates very well. If you can exploit , you can gently ask OIDC to mint you access on the fly. That’s what I call “dwell mode” where you hang for say 1 minute and you perform arbitrary thing with the OIDC access. So yes with short lived creds there’s no “offline access” and if leaves more traces but still.
How does this handle context that becomes stale? E.g., if one tool updates a deployment state and another tool's memory still has the old version. MCP gives you the pipe but not the consistency model.
Interesting approach for embedded use cases. Curious how you see this compared to the OIDC trend in CI/CD where the goal is eliminating stored secrets entirely — different problem space but related threat model.
On the defensive side, we are pushing to OIDC short-lived tokens - eliminating the this risk altogather