critical
suspicious.exposed_secret_literal
- Location
- README.md:55
- Finding
- File appears to expose a hardcoded API secret or token.
finskills-one
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
The user may need to provide or configure a Finskills API key, which could affect their account quota, billing, or access if mishandled.
Why it was flagged
The skill needs a provider API key to function. This is expected for Finskills access, but it is still a credential and is not declared as a primary credential or required environment variable in the registry metadata.
Skill content
All requests require the `X-API-Key` header. If the user has not provided one, ask for it
Recommendation
Use a dedicated Finskills key with appropriate limits, prefer setting it as `FINSKILLS_API_KEY` rather than pasting it into chat, and avoid sharing unrelated credentials.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
If the user installs the optional helper dependencies, they rely on whatever compatible `requests` package version pip resolves in their environment.
Why it was flagged
The optional helper scripts depend on a broadly versioned PyPI package rather than a pinned, hash-locked dependency. This is common for simple helper scripts, but it is still supply-chain relevant when users run `pip install`.
Skill content
requests>=2.31
Recommendation
Install optional dependencies in a virtual environment and consider pinning versions or using a lockfile for reproducible installs.
Findings (2)
critical
suspicious.exposed_secret_literal
- Location
- SKILL.md:24
- Finding
- File appears to expose a hardcoded API secret or token.