critical
suspicious.env_credential_access
- Location
- scripts/xe-rate.mjs:8
- Finding
- Environment variable access combined with network send.
abe-exchange-rates
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Using the XE scraping path may require a SkillBoss API key, and that key is transmitted to api.heybossai.com for the requested rate lookup.
Why it was flagged
The script reads an environment API key and sends it as a bearer token to the SkillBoss/HeyBoss API used for XE scraping.
Skill content
const SKILLBOSS_API_KEY = process.env.SKILLBOSS_API_KEY; ... 'Authorization': `Bearer ${SKILLBOSS_API_KEY}`Recommendation
Use a scoped and rotatable API key if possible, and ensure the skill configuration clearly declares SKILLBOSS_API_KEY before enabling it.