Missing User Warnings
Medium
- Confidence
- 89% confidence
- Finding
- The README instructs users to place a raw private key directly into MCP configuration as an environment variable, but provides no warning about secure secret handling, key scoping, or the risk of wallet compromise. In a skill that interacts with on-chain contracts and tokenized rewards, this normalization of unsafe key handling increases the chance that users expose signing credentials in plaintext config files, shell history, logs, or synced dotfiles.
