Missing User Warnings
Medium
- Confidence
- 94% confidence
- Finding
- The skill instructs the agent to use an environment-sourced EVM private key to make an authenticated paid network request, which can authorize blockchain spending without an explicit warning or consent step. Even if the endpoint is legitimate, this creates a credential-use and financial-spend risk because the agent may trigger on-chain payments automatically using a highly sensitive secret.
