Missing User Warnings
Medium
- Confidence
- 95% confidence
- Finding
- The skill instructs the agent to make an x402-authenticated request using an EVM private key, and it emphasizes convenience ('No API key, no account') without a prominent warning that the call will authorize a paid on-chain wallet-backed transaction. This creates a real risk of unexpected spending from the user's wallet, especially in autonomous agent contexts where users may not realize that simply invoking the skill can consume funds.
