critical
suspicious.secret_argv_exposure
- Location
- SKILL.md:47
- Finding
- Instructions pass high-value credentials through process argv.
Xiaohongshu (RedNote) User Published Notes API
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.secret_argv_exposure
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If the token is exposed, someone else may be able to use the user's JustOneAPI account or quota.
Why it was flagged
The documented invocation places the API token in a command-line argument. Command-line arguments may be visible to local process listings or captured in execution logs, creating an avoidable credential exposure risk.
Skill content
node {baseDir}/bin/run.mjs --operation "getUserNoteListV2" --token "$JUST_ONE_API_TOKEN" --params-json '{"userId":"<userId>"}'Recommendation
Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or a secure secret store instead of accepting it via --token; rotate the token if it may have been exposed.