Missing User Warnings
Medium
- Confidence
- 94% confidence
- Finding
- The skill instructs the agent to make an x402-authenticated request using an EVM private key and states that payment authorization is handled automatically, but it does not present a clear, prominent warning that each invocation can directly spend wallet funds. This creates a real risk of unintended onchain payment by users or agents who may interpret the call as a normal free HTTP request, especially because the skill emphasizes 'No API key, no account, no subscription required' rather than the spending implications.
