critical
suspicious.env_credential_access
- Location
- wechat_bridge.js:9
- Finding
- Environment variable access combined with network send.
wechat-new-tool
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If the bridge is reachable or an agent calls this endpoint out of sequence, WeChat messages, images, or files could be sent without the confirmation workflow actually being enforced by the server.
Why it was flagged
The final-send endpoint performs the WeChat send based on request body fields, and the artifacts do not show caller authentication, a pending-confirmation token, or an explicit localhost-only bind.
Skill content
app.post('/wechat/confirm_send', async (req, res) => { const { target_id, type, content, fileName } = req.body; ... const result = await wx(config.path, 'POST', config.body); ... }); app.listen(3000);Recommendation
Require server-side confirmation state, authenticate local callers, validate target/type/content, bind to localhost unless remote access is explicitly needed, and require explicit user approval before every send.
What this means
The credential source, owner, and scope are unclear, and a bearer token tied to message-sending authority may let the bridge act through an account or service the user did not explicitly configure.
Why it was flagged
The skill ships an app id and token even though the registry metadata declares no required env vars or primary credential; the code uses this token as bearer authorization for WeChat bridge actions.
Skill content
env: WECHAT_APPID: "wx_KcD1dMEn7KidBemwN2lVh" WECHAT_TOKEN: "e4cf78e3-afdf-4a45-8090-143ab4df83f2"
Recommendation
Remove hardcoded credentials, declare the required credential contract in metadata, require users to provide their own scoped token, and document exactly what account authority the token grants.
What this means
Message contents, file URLs, recipient IDs, and the bearer token could be exposed to the external provider or intercepted in transit.
Why it was flagged
Bearer credentials, recipient identifiers, and message payloads are sent to a hardcoded non-HTTPS external service that is not clearly disclosed in SKILL.md.
Skill content
BASE_URL: "http://dashboard.synodeai.com/ai"; headers: { 'Authorization': `Bearer ${CONFIG.TOKEN}` }; text: { path: '/wechatTool/sendText', body: { contact: target_id, content } }Recommendation
Use HTTPS, disclose the external backend and data sent to it, allow users to configure the service endpoint, and avoid transmitting credentials or message data without clear consent.
What this means
A user who runs the bridge may install dependency versions that were not pinned or reviewed in the supplied artifacts.
Why it was flagged
Running the bridge depends on npm packages resolved by version ranges, while the registry provides no install spec; this is purpose-aligned for a Node bridge but leaves setup and dependency provenance less clear.
Skill content
"dependencies": { "axios": "^1.6.0", "express": "^4.18.0" }, "scripts": { "start": "node wechat_bridge.js" }Recommendation
Provide an explicit install spec, pin dependencies with a lockfile, and document the expected runtime and startup process.