Missing User Warnings
Medium
- Confidence
- 94% confidence
- Finding
- The skill instructs users to provide a raw `PRIVATE_KEY` via environment variable and inline configuration examples, but gives no warning about secret handling, wallet isolation, test-only usage, or the risk of exposing signing authority through shell history, logs, process listings, or copied config files. Because this server performs onchain write actions, compromise of that key can directly enable unauthorized escrow creation, acceptance, completion, or other fund-affecting transactions from the controlled account.
