Senior Secops

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dynamic_code_execution, suspicious.exposed_secret_literal

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI02: Tool Misuse and Exploitation

What this means

If run on the wrong directory, the scanner may inspect more local source/configuration files than intended.

Why it was flagged

The skill directs use of local Python scanners over project paths, including the current directory. This is coherent with the security-audit purpose, but it gives the tool broad read access to the selected project.

Skill content

python scripts/security_scanner.py /path/to/project ... python scripts/compliance_checker.py . --framework all

Recommendation

Run the scripts only against intended repositories or CI workspaces, and avoid pointing them at a home directory or unrelated sensitive folders.

NoteHigh Confidence

ASI04: Agentic Supply Chain Vulnerabilities

What this means

A changed or compromised third-party CI action could run in your pipeline and access the Snyk token used for scanning.

Why it was flagged

A reference CI template uses a moving third-party GitHub Action branch and passes a service token to it. This is an example, not automatic skill behavior, but copying it as-is would create supply-chain exposure.

Skill content

uses: snyk/actions/node@master ... SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Recommendation

If adopting the CI example, pin GitHub Actions to immutable versions or commit SHAs and scope any tokens narrowly.

NoteHigh Confidence

ASI06: Memory and Context Poisoning

What this means

Security reports may reveal real API keys, passwords, or proprietary source snippets if shared broadly.

Why it was flagged

The scanner intentionally detects secrets and stores a code snippet with each finding, so generated reports or console output may contain sensitive material from the scanned codebase.

Skill content

SECRET_PATTERNS = [ ... 'Hardcoded API key detected' ... 'AWS Secret Key' ... ] ... code_snippet: str

Recommendation

Treat generated reports as confidential, redact secrets before sharing, and rotate any real credentials the scanner discovers.

Findings (3)

critical

suspicious.dynamic_code_execution

Location: scripts/security_scanner.py:120
Finding: Dynamic code execution detected.

critical

suspicious.exposed_secret_literal

Location: references/security_standards.md:532
Finding: File appears to expose a hardcoded API secret or token.

critical

suspicious.exposed_secret_literal

Location: SKILL.md:349
Finding: File appears to expose a hardcoded API secret or token.