critical
suspicious.secret_argv_exposure
- Location
- SKILL.md:49
- Finding
- Instructions pass high-value credentials through process argv.
Xiaohongshu Creator Marketplace (Pugongying) Creator Core Metrics API
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.secret_argv_exposure
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
The requested creator userId and filters are sent to JustOneAPI to retrieve metrics.
Why it was flagged
The helper sends requests to the documented external JustOneAPI service. This is purpose-aligned, but users should recognize that the lookup parameters and request are sent to that provider.
Skill content
"baseUrl": "https://api.justoneapi.com"
Recommendation
Use the skill only for intended lookups and provide only the creator IDs and filters you mean to query.
What this means
A leaked JustOneAPI token could let someone else make API requests using the user's account or quota.
Why it was flagged
Expanding the environment variable into a command-line argument places the API token in process argv, which may be visible to local process monitors, audit logs, or other users on some systems.
Skill content
--token "$JUST_ONE_API_TOKEN"
Recommendation
Change the helper to read JUST_ONE_API_TOKEN directly from the environment, stdin, or a secret manager instead of passing it via --token; rotate the token if it may have been exposed.