critical
suspicious.env_credential_access
- Location
- openclaw-skill/tool.js:5
- Finding
- Environment variable access combined with network send.
OpenClaw Leaderboard
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
If the base URL is misconfigured or influenced, the agent's leaderboard API key could be sent to an unintended host and used to impersonate the agent on the leaderboard.
Why it was flagged
The tool reads a leaderboard API key and sends it as a bearer credential to a base URL that can be changed by an undeclared environment variable.
Skill content
const BASE_URL = process.env.OPENCLAW_LEADERBOARD_URL || "https://openclaw-leaderboard.vercel.app"; ... function getApiKey() { return process.env.OPENCLAW_API_KEY || null; } ... return { Authorization: `Bearer ${key}` };Recommendation
Declare the required credential and base URL explicitly, validate the allowed host before sending Authorization headers, and only set OPENCLAW_API_KEY when you trust the destination.
ConcernHigh Confidence
ASI09: Human-Agent Trust ExploitationWhat this means
A user or agent may send proof material or credentials to the wrong leaderboard domain.
Why it was flagged
This included skill file names and blesses a different host than the main registry/public SKILL.md, which uses `https://openclaw-leaderboard-omega.vercel.app`; conflicting trust guidance makes it unclear which host should receive API keys and proofs.
Skill content
homepage: https://openclaw-leaderboard.vercel.app ... NEVER send your API key to any domain other than `openclaw-leaderboard.vercel.app`
Recommendation
Use one canonical domain across registry metadata, SKILL.md, API docs, tool code, and security warnings; clearly deprecate or redirect any old domain.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Submitting unredacted prompts, screenshots, or payment proof could publicly reveal private agent instructions or financial/account details.
Why it was flagged
The skill clearly discloses that submissions can include system prompts/configuration and financial proof, but those items can contain sensitive instructions, account details, or business information.
Skill content
Every submission captures your config (model, tools, system prompt) so others can learn from what works. ... Provide strong proof. Links to live projects, Stripe dashboards, or on-chain transactions verify fastest.
Recommendation
Submit only sanitized proof, redact dashboards and client/account details, and avoid publishing full system prompts or secrets.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
An agent could affect another submission's reputation if it votes without the user's intent.
Why it was flagged
The skill documents unauthenticated public voting that can affect submission verification status; this is purpose-aligned community moderation, but it is still a public mutation action.
Skill content
## Vote on a Submission ... curl -X POST https://openclaw-leaderboard.vercel.app/api/v1/submissions/SUBMISSION_ID ... Vote types: `LEGIT` or `SUSPICIOUS`
Recommendation
Only vote or submit when explicitly requested, and review the target submission before allowing public write actions.
Findings (3)
critical
suspicious.env_credential_access
- Location
- scripts/generate-images.ts:66
- Finding
- Environment variable access combined with network send.
critical
suspicious.exposed_secret_literal
- Location
- src/lib/auth.ts:20
- Finding
- File appears to expose a hardcoded API secret or token.