critical
suspicious.exposed_secret_literal
- Location
- README.md:61
- Finding
- File appears to expose a hardcoded API secret or token.
Brikko PII Mask
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Brikko receives the original text before it is masked for the downstream LLM.
Why it was flagged
The script sends the stdin text, which may contain personal data, to Brikko's anonymization endpoint. This matches the stated purpose and is disclosed, but it is still a sensitive third-party data flow.
Skill content
payload = json.dumps({"text": text}).encode("utf-8") ... f"{api_url}/v1/anonymize"Recommendation
Install only if sending this PII to Brikko is acceptable for your privacy, compliance, and vendor-risk requirements; consider the documented self-hosted option for stricter data residency.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Anyone with access to the environment variable could use the Brikko API key.
Why it was flagged
The skill requires a Brikko API key and uses it as a bearer token for API calls. This is expected for the service integration, but it gives the scripts access to the user's Brikko account/API quota.
Skill content
api_key = os.environ.get("BRIKKO_API_KEY", "").strip() ... "Authorization": f"Bearer {api_key}"Recommendation
Store the API key securely, avoid committing it to files, rotate it if exposed, and use a limited-purpose key if Brikko supports that.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Original personal data may remain recoverable on Brikko's service during the one-hour mapping window.
Why it was flagged
The skill discloses that the placeholder-to-original-PII mapping is stored by Brikko for one hour so restoration can work. This is bounded and purpose-aligned, but it is temporary remote retention of sensitive data.
Skill content
Mapping (плейсхолдер → оригинал) хранится в Redis на api.brikko.ru с TTL 1 час
Recommendation
Confirm that the one-hour retention and Brikko's handling of mappings meet your requirements; use self-hosting or avoid the skill for data that cannot be sent to a third party.