critical
suspicious.exposed_secret_literal
- Location
- SKILL.md:37
- Finding
- File appears to expose a hardcoded API secret or token.
Security code review
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
When invoked for a security review, the agent may inspect relevant files in the repository to find vulnerabilities.
Why it was flagged
The skill authorizes local command-line and file-reading activity, which is sensitive because it can inspect a user's codebase. The instructions are purpose-aligned and constrained to read-only review.
Skill content
You are permitted to use the command line to understand the repository structure... You MUST only use read-only tools like `ls -R`, `grep`, and `read-file` for the security analysis.
Recommendation
Use the skill only on repositories you want reviewed, and review any generated report before sharing it outside your environment.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
A security report file may be created in the project workspace, potentially containing vulnerability details from the reviewed code.
Why it was flagged
The skill may write review artifacts to the workspace when analysis output is requested. This is disclosed and scoped to a dedicated directory.
Skill content
Artifacts created during security analysis should be stored in a `.shield_security/` directory in the user's workspace.
Recommendation
Check the .shield_security/ directory after use and treat generated reports as potentially sensitive project-security information.