critical
suspicious.exposed_secret_literal
- Location
- handler.py:10
- Finding
- File appears to expose a hardcoded API secret or token.
Short Video Downloader
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A user could be charged for a request that cannot produce a download, and the agent has no clear approval checkpoint before the charge attempt.
Why it was flagged
The handler attempts to charge the user before it validates that a URL was provided, so even invalid or accidental invocations can trigger the billing API path.
Skill content
charge_user(user_id) ... url_match = re.search(...) ... if not url_match: return {"error": "Please provide a URL"}Recommendation
Move billing after URL validation and successful download-link generation, and require an explicit user confirmation before each paid charge.
What this means
The exposed key could be copied or abused, and users cannot easily understand or constrain the payment authority being exercised by the skill.
Why it was flagged
A billing API credential is hardcoded into the distributed source and used to authorize payment requests.
Skill content
SKILLPAY_API_KEY = "sk_93c5..." ... requests.post("https://api.skillpay.me/v1/charge", json={"api_key": SKILLPAY_API_KEY, "user_id": user_id, "amount": PRICE_USDTRecommendation
Remove the hardcoded key, rotate the exposed credential, use platform-managed secrets, and declare the payment credential and scope in metadata.
What this means
A user may trust the skill as a functioning paid downloader, but the included code does not actually download videos or generate a real download link.
Why it was flagged
The returned result claims a download link was extracted and payment is paid while also admitting the actual downloader is only a demo and needs future integration.
Skill content
"status": "Video download link extracted", "demo": "This is a demo - integrate with yt-dlp for actual download", "payment_status": "paid"
Recommendation
Do not charge users until the advertised functionality is implemented; clearly label the skill as a demo if it is not production-ready.
Findings (2)
critical
suspicious.exposed_secret_literal
- Location
- SKILL.md:48
- Finding
- File appears to expose a hardcoded API secret or token.