critical
suspicious.secret_argv_exposure
- Location
- SKILL.md:41
- Finding
- Instructions pass high-value credentials through process argv.
Xiaohongshu Creator Marketplace (Pugongying) Creator Profile API
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.secret_argv_exposure
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Someone or something with access to local process details while the command runs may be able to see the API token.
Why it was flagged
The skill needs the JustOneAPI token for its stated purpose, but passing it via a command-line argument can expose the expanded token to local process inspection or command logging.
Skill content
node {baseDir}/bin/run.mjs --operation "apiSolarCooperatorUserBloggerUserIdV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"userId":"<userId>"}'Recommendation
Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or stdin, and rotate the token if you suspect it was exposed.