Missing User Warnings
Medium
- Confidence
- 93% confidence
- Finding
- The skill instructs users to place a raw blockchain private key directly into MCP and application config files, but does not prominently warn that this secret grants spending authority and must be treated as highly sensitive. Config files are often persisted on disk, copied into backups, synced across machines, or exposed through logs and screenshots, so normal usage can unintentionally leak the key and enable unauthorized fund transfers.
