Missing User Warnings
Medium
- Confidence
- 91% confidence
- Finding
- The skill explicitly instructs operators to provide wallet private keys inline in environment variables and to persist seller API keys locally, but it does not strongly warn against logging, prompt leakage, shell history exposure, or insecure file permissions. In a payments skill, these secrets directly control funds and merchant capabilities, so accidental exposure can lead to wallet theft, unauthorized spending, store takeover, or fraudulent withdrawals.
