Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
Magic Link Bridge
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a coherent Supabase login-link helper, but it relies on powerful Supabase auth credentials and login tokens that must be protected.
Use this skill only if you are intentionally implementing a Supabase portal magic-link flow. Keep the service-role key on the backend, protect the link-generation endpoint, and confirm the portal strips token parameters before analytics or other third-party scripts can observe them.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If the service-role key leaks, someone could perform privileged Supabase auth/admin actions, including generating login links.
Why it was flagged
The backend example uses Supabase's service-role credential for an admin auth call. That is purpose-aligned, but this key is high privilege if exposed or used from client-side code.
Skill content
apikey: SUPABASE_SERVICE_ROLE_KEY, Authorization: 'Bearer ' + SUPABASE_SERVICE_ROLE_KEY
Recommendation
Keep the service-role key only in trusted backend/serverless environments, never ship it to the browser, and rotate it if it may have been exposed.
What this means
A poorly protected endpoint could let unauthorized people generate login links for customer accounts.
Why it was flagged
The sample backend flow can mint valid magic-login links. This is the intended function, but the snippet does not include the surrounding endpoint authorization or rate limiting that a production implementation needs.
Skill content
fetch(`${SUPABASE_URL}/auth/v1/admin/generate_link`, ... body: JSON.stringify({ type: 'magiclink', email: customer.email })Recommendation
Require server-side authorization for whoever can request a magic link, derive the email from trusted customer records, rate-limit requests, and audit link generation.