critical
suspicious.exposed_secret_literal
- Location
- SKILL.md:116
- Finding
- File appears to expose a hardcoded API secret or token.
Security Checker
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If pointed at a large or sensitive directory, it will read local Python files and print file names and warnings, although it does not print detected secret values or upload data.
Why it was flagged
The scanner recursively reads Python files from a user-supplied path. This is necessary for its purpose, but a broad path could cause it to inspect more local code than intended.
Skill content
target = Path(sys.argv[1]) ... elif target.is_dir(): all_issues = scan_directory(target) ... for py_file in directory.rglob('*.py'):Recommendation
Run it only on the specific skill directory or files you intend to review.
NoteMedium Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If copied or followed blindly, a passing scan could be treated as approval to publish before final human review.
Why it was flagged
The documentation includes a publishing command as part of a pre-publish workflow. It is disclosed and related to the stated use case, but publishing is a public, high-impact action.
Skill content
# 4. Only publish if scan passes clawhub publish /path/to/skill --slug my-skill ...
Recommendation
Treat scan results as advisory and require explicit user approval before running any publish command.