critical
suspicious.secret_argv_exposure
- Location
- SKILL.md:41
- Finding
- Instructions pass high-value credentials through process argv.
WeChat Official Accounts Article Engagement Metrics API
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.secret_argv_exposure
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Your JustOneAPI token could be visible to local process inspection, terminal history, command logging, or monitoring tools, depending on the environment.
Why it was flagged
The documented invocation places the high-value API token in process argv instead of having the helper read it directly from the environment or stdin.
Skill content
node {baseDir}/bin/run.mjs --operation "getArticleFeedback" --token "$JUST_ONE_API_TOKEN" --params-json '{"articleUrl":"<articleUrl>"}'Recommendation
Change the helper and instructions to read JUST_ONE_API_TOKEN directly from the environment or stdin, avoid passing secrets as command-line arguments, and use a restricted token if available.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
The article URL you provide, along with the API token required by the provider, is sent to JustOneAPI to fulfill the request.
Why it was flagged
The helper makes an outbound request to the declared JustOneAPI provider using the supplied operation parameters.
Skill content
"baseUrl": "https://api.justoneapi.com" ... response = await fetch(url, requestInit);
Recommendation
Use the skill only for article URLs you intend to send to JustOneAPI, and confirm you trust the provider and token scope.