critical
suspicious.secret_argv_exposure
- Location
- SKILL.md:41
- Finding
- Instructions pass high-value credentials through process argv.
Xiaohongshu Creator Marketplace (Pugongying) Follower Distribution API
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.secret_argv_exposure
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A JustOneAPI token could be exposed on the local machine even though the skill is only meant to call one API endpoint.
Why it was flagged
This instructs the agent/user to place the API token in process arguments. Command-line arguments may be visible to other local users, process inspection tools, crash reports, or command logging.
Skill content
node {baseDir}/bin/run.mjs --operation "apiSolarKolDataUserIdFansProfileV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"userId":"<userId>"}'Recommendation
Prefer a version that reads JUST_ONE_API_TOKEN directly from the environment inside the helper, uses stdin, or otherwise avoids passing secrets through argv. Rotate the token if it may have been captured in logs or process monitoring.