Missing User Warnings
Medium
- Confidence
- 95% confidence
- Finding
- The skill instructs the agent to make an x402-authenticated request and states that payment authorization is handled automatically, but it does not clearly warn that using the configured EVM private key may spend wallet funds. Because the skill metadata explicitly requires EVM_PRIVATE_KEY and mentions USDC on Base mainnet, an operator could unknowingly authorize paid calls and incur real financial cost.
