critical
suspicious.secret_argv_exposure
- Location
- SKILL.md:42
- Finding
- Instructions pass high-value credentials through process argv.
Weibo User Followers API
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.secret_argv_exposure
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
On shared machines or systems with command/process telemetry, another local user or logging tool could capture the JustOneAPI token and use the account or quota.
Why it was flagged
The official run instruction passes the API token as a command-line argument. When executed, the environment variable is expanded and the secret can be exposed through process arguments.
Skill content
node {baseDir}/bin/run.mjs --operation "getFollowersV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"uid":"<uid>"}'Recommendation
Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or a secret manager instead of argv, avoid running this on shared systems, and rotate the token if it may have been exposed.