critical
suspicious.env_credential_access
- Location
- scripts/generate.js:145
- Finding
- Environment variable access combined with network send.
Picnow — Image Generation
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Using the skill can consume the user's Picnow/Letmego API quota or balance under their account.
Why it was flagged
The script uses the user's Letmego API key to authenticate API calls. This is needed for the stated service, but it is still delegated account authority and is under-declared by the registry metadata.
Skill content
const token = process.env.LETMEGO_API_KEY; ... Authorization: `Bearer ${token}`,Recommendation
Install only if you intend to use Picnow/Letmego, set a dedicated API key if possible, and monitor quota or billing usage.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Reference images or files you provide may leave your machine and be processed by Picnow/Letmego.
Why it was flagged
When --ref is used, the selected local file is encoded and uploaded to the disclosed Picnow API for image editing. This is purpose-aligned but sends user content to a third-party provider.
Skill content
const refB64 = await readFileAsBase64(refPath); ... fetch(`${API_BASE}/v1/images/edits`, { method: 'POST', ... body: form })Recommendation
Use reference files only when you are comfortable uploading them, and verify the path before running image-to-image edits.