Missing User Warnings
Medium
- Confidence
- 92% confidence
- Finding
- The skill documentation instructs the agent to supply an EVM private key directly to a third-party paid request flow, but it does not prominently warn that this credential authorizes wallet-backed spending and must be handled as highly sensitive secret material. In an agent setting, this can normalize unsafe key exposure or cause users to connect a funded wallet for automated micropayments without clear consent boundaries, increasing the risk of unintended charges or key compromise if the surrounding runtime is not hardened.
