critical
suspicious.exposed_secret_literal
- Location
- scripts/search-gold.mjs:53
- Finding
- File appears to expose a hardcoded API secret or token.
gold-analysis
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Searches may run under a shared embedded provider credential; the key can be copied or abused, and quota, logging, and account identity are not under the user's control.
Why it was flagged
The script contains a hardcoded Tavily API key and automatically uses it when the user has not set TAVILY_API_KEY.
Skill content
const DEFAULT_API_KEY = "tvly-dev-..."; const apiKey = (process.env.TAVILY_API_KEY ?? DEFAULT_API_KEY).trim();
Recommendation
Remove and rotate the embedded key, require each user to provide their own TAVILY_API_KEY, and declare the credential requirement clearly in metadata.
What this means
Gold-related questions, and any personal investment details included in them, may be processed by Tavily.
Why it was flagged
The script sends the user's search query and API key to Tavily's external search API, which is expected for the skill's purpose.
Skill content
fetch("https://api.tavily.com/search", { method: "POST", ... body: JSON.stringify(body) })Recommendation
Avoid putting sensitive personal financial details in queries, and use your own Tavily API key if you need account and privacy control.
What this means
Using the skill runs included local code and performs a network search request.
Why it was flagged
The skill instructs the agent to run a local helper script to fetch current market information; this is aligned with the stated search-analysis purpose.
Skill content
node {baseDir}/scripts/search-gold.mjs <query> [--type price|news|technical]Recommendation
Review the included script before use and prefer setting your own Tavily API key.