critical
suspicious.secret_argv_exposure
- Location
- SKILL.md:46
- Finding
- Instructions pass high-value credentials through process argv.
Xiaohongshu (RedNote) User Profile API
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.secret_argv_exposure
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Your JustOneAPI token could be exposed locally if another process or log captures command-line arguments while the command runs.
Why it was flagged
The instruction expands the API token into a command-line argument. Command-line arguments can be visible to other local processes or captured by execution telemetry, so this is weaker credential handling than reading the token inside the helper from the environment.
Skill content
node {baseDir}/bin/run.mjs --operation "getUserV3" --token "$JUST_ONE_API_TOKEN" --params-json '{"userId":"<userId>"}'Recommendation
Use only on a trusted local machine, and prefer a version of the helper that reads JUST_ONE_API_TOKEN directly from the environment instead of requiring --token.