Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
supportforge-api
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a coherent instruction-only SupportForge API integration, but users should notice that it involves API keys and sending customer support data to an external service.
This looks acceptable as an instruction-only SupportForge API skill, but treat it as a third-party customer-data integration: verify the provider, protect the API key, and avoid sending real customer emails, ticket text, account values, or interaction history unless you are authorized to do so.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If the API key is exposed or stored unsafely, someone else could use the user's SupportForge access.
Why it was flagged
The skill requires a SupportForge API key and asks that it be stored for future use, which is expected for an API integration but gives the agent access to a service credential.
Skill content
1. **Get API Key**: Help user sign up for free SupportForge API key 2. **Store Key**: Save the key securely
Recommendation
Use a dedicated SupportForge key, store it only in approved secret storage, avoid pasting it into shared logs or transcripts, and rotate it if it is exposed.
What this means
Customer messages, contact details, account context, and support history may leave the user's environment and be processed by a third-party service.
Why it was flagged
The skill documents sending customer support content, including customer email and ticket details, to an external SupportForge API endpoint.
Skill content
curl -X POST https://supportforge.vosscg.com/v1/tickets/route ... "customer_email": "customer@example.com"
Recommendation
Only send data you are authorized to share, minimize or redact sensitive customer information when possible, and verify SupportForge's privacy and data-processing terms before production use.
What this means
Users have less metadata to confirm who maintains the skill or whether the API endpoint is the intended service.
Why it was flagged
The registry metadata does not provide a source repository or homepage, which limits independent verification of the provider and skill provenance.
Skill content
Source: unknown Homepage: none
Recommendation
Verify the SupportForge provider and domain out of band before creating an account, entering an API key, or sending real customer data.
What this means
If used with real support workflows, API calls could influence ticket routing or generated customer responses.
Why it was flagged
The skill provides command-line API examples that could be used by an agent to call the external service; this is central to the stated API-integration purpose.
Skill content
curl -X POST https://supportforge.vosscg.com/v1/responses/generate
Recommendation
Review requests before sending real customer data or using generated responses in production support channels.