critical
suspicious.env_credential_access
- Location
- scripts/src/index.ts:11
- Finding
- Environment variable access combined with network send.
Endpoints
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Running the skill grants it access to the user's Endpoints account. If ENDPOINTS_API_URL is changed to an untrusted host, the key and uploaded data could be sent there.
Why it was flagged
The code reads an API key from the environment and sends it as a Bearer token to the configured API URL.
Skill content
const API_URL = process.env.ENDPOINTS_API_URL || "https://endpoints.work"; const API_KEY = process.env.ENDPOINTS_API_KEY; ... Authorization: `Bearer ${API_KEY}`; ... await fetch(url, { ...options, headers })Recommendation
Use only a trusted ENDPOINTS_API_URL, keep the API key private, and rotate the key if it is exposed.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
A mistaken or ambiguous delete request could remove data from the user's Endpoints account.
Why it was flagged
The skill intentionally exposes destructive API actions that can remove endpoint data and associated files.
Skill content
`deleteEndpoint(path)` | Delete endpoint and all associated files; `deleteItem(itemId)` | Delete a single item by its 8-char ID
Recommendation
Ask for an exact endpoint path or item ID and explicit confirmation before running delete functions.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
Documents selected for scanning are sent to the external Endpoints service for AI extraction.
Why it was flagged
The scanFile function reads a user-provided local file path and uploads that file to the Endpoints scan API.
Skill content
const fileContent = readFileSync(filePath); ... formData.append("files", new Blob([fileContent]), fileName); ... apiRequest<ScanResult>("/api/scan", ...)Recommendation
Only scan files the user intentionally selected and is comfortable uploading to the provider.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Sensitive document information may remain on disk after the task completes.
Why it was flagged
The workflow persists API responses and summaries locally, which may include extracted document text, entities, file URLs, and metadata.
Skill content
All results automatically save as JSON files to `results/{category}/`... read the saved JSON files and create a markdown summary in `results/summaries/`Recommendation
Review and delete the results/ directory when working with sensitive documents, and avoid sharing saved summaries unintentionally.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Installing dependencies downloads and runs standard npm package installation logic from the npm ecosystem.
Why it was flagged
The skill requires a local npm dependency installation even though the registry says there is no install spec. The provided package.json shows standard dependencies and no postinstall script.
Skill content
Install dependencies: cd scripts && npm install
Recommendation
Install only in a trusted environment and review package.json/package-lock.json if supply-chain provenance matters.