critical
suspicious.secret_argv_exposure
- Location
- SKILL.md:45
- Finding
- Instructions pass high-value credentials through process argv.
Weibo Search User Published Posts API
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.secret_argv_exposure
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
If the token is exposed, someone else may be able to use your JustOneAPI account or quota.
Why it was flagged
The default invocation expands the JustOneAPI credential into a command-line argument, which can be visible to local process monitors, shell wrappers, or command logging on some systems.
Skill content
node {baseDir}/bin/run.mjs --operation "searchProfileV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"uid":"<uid>","q":"<q>"}'Recommendation
Use only in a trusted environment, prefer a version that reads JUST_ONE_API_TOKEN directly from the environment or a secret manager instead of argv, and rotate the token if it may have been exposed.