Missing User Warnings
Medium
- Confidence
- 94% confidence
- Finding
- The skill instructs the agent to make an x402-authenticated request using the user's EVM private key and states that payment authorization is handled automatically, but it does not clearly warn that invoking the skill can spend funds from the user's wallet. Because the call is paid and the required secret is an on-chain private key, users or downstream agents may trigger billable requests without informed consent, leading to unexpected financial loss or repeated charges.
