critical
suspicious.exposed_secret_literal
- Location
- SKILL.md:142
- Finding
- File appears to expose a hardcoded API secret or token.
EcomSeer
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Deep-research requests may run under a shared or developer credential rather than a user-scoped credential, and an exposed token could be abused or cause usage to be misattributed.
Why it was flagged
The static scan reports a hardcoded bearer authorization header in the deep-research request; the visible SKILL.md excerpt also shows an Authorization bearer header for `https://deepresearch.ecomseer.com/research`.
Skill content
-H "Authorization: Bearer [REDACTED]"
Recommendation
Remove the hardcoded bearer token, rotate it if real, and authenticate deep-research calls using a declared, user-scoped credential or a backend-controlled token exchange.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Your EcomSeer API key will be stored locally in OpenClaw config if you paste it to the assistant for setup.
Why it was flagged
The skill can persist a user-provided EcomSeer API key in OpenClaw configuration, which is expected for this integration but still a credential-handling step.
Skill content
openclaw config set skills.entries.ecomseer.apiKey "{KEY}"Recommendation
Configure the API key only if you trust the skill and provider; consider setting it manually and rotate the key if it is accidentally exposed.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Business questions, query context, and generated analysis may be processed and hosted by EcomSeer outside your local agent session.
Why it was flagged
Complex queries are sent to a server-side AI research system and the output is hosted as a shareable report; this is disclosed and purpose-aligned, but it is an external data boundary.
Skill content
Deep Research — AI-powered deep analysis... Automatically triggered... Reports are hosted and shareable via link.
Recommendation
Avoid submitting confidential strategy or private business data unless you understand EcomSeer's report access controls, retention, and sharing behavior.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
Using the skill will make network requests to EcomSeer with your API key to fetch analytics data.
Why it was flagged
The skill relies on shell `curl` commands to call EcomSeer's APIs; this is central to the stated purpose and no destructive local commands are shown.
Skill content
curl -s "https://www.ecomseer.com/api/open/{endpoint}?{params}" -H "X-API-Key: $ECOMSEER_API_KEY"Recommendation
Verify the target domains and use the skill only for queries you are comfortable sending to EcomSeer.