critical
suspicious.secret_argv_exposure
- Location
- SKILL.md:41
- Finding
- Instructions pass high-value credentials through process argv.
Weibo TV Video Details API
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.secret_argv_exposure
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Someone with access to the same machine or relevant logs could potentially see and reuse the JustOneAPI token.
Why it was flagged
The token is expected for this API call, but passing it as a CLI argument can expose it locally through process listings or command recording while the helper runs.
Skill content
node {baseDir}/bin/run.mjs --operation "tvComponentV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"oid":"<oid>"}'Recommendation
Use this only on trusted systems, avoid sharing command logs, and prefer a future helper version that reads JUST_ONE_API_TOKEN directly from the environment or stdin instead of argv.