critical
suspicious.exposed_secret_literal
- Location
- jb-hook-deploy-ui/SKILL.md:462
- Finding
- File appears to expose a hardcoded API secret or token.
juicy
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If a generated UI is used with incorrect project, chain, or contract settings, the user could send funds or interact with the wrong contract.
Why it was flagged
The generated interaction UI can initiate a wallet-authorized on-chain payment. This is central to a Juicebox interaction skill and requires wallet confirmation, but it is still a real financial action.
Skill content
const hash = await walletClient.writeContract({
address: terminal,
abi: TERMINAL_ABI,
functionName: 'pay',
...
value,
account: address
});Recommendation
Review every generated transaction, especially project ID, chain ID, contract address, calldata, and amount. Test with small amounts or testnets before using real funds.
What this means
A signed forward request can authorize the encoded action on the specified chain and forwarder until it expires.
Why it was flagged
The omnichain template asks the user to sign typed forward requests that can be relayed later within a 48-hour deadline. This is purpose-aligned for Relayr-style deployment, but it is delegated wallet authority.
Skill content
const deadline = Math.floor(Date.now() / 1000) + 48 * 60 * 60;
const signature = await walletClient.signTypedData({
account: address,
domain,
types,
primaryType: 'ForwardRequest',
message
});Recommendation
Only sign typed data after verifying the chain, forwarder, target contract, deadline, and decoded calldata. Avoid signing if the wallet prompt is unclear.
What this means
Relay/API providers may see wallet addresses, chains, signed request data, and transaction intent.
Why it was flagged
The template sends signed transaction requests to the external Relayr API. This is disclosed and aligned with multi-chain deployment, but it creates a third-party data and execution boundary.
Skill content
const response = await fetch(`${RELAYR_API}/v1/bundle/prepaid`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ transactions: signedRequests, virtual_nonce_mode: 'Disabled' })
});Recommendation
Use trusted official endpoints, review request bodies before sending, avoid sensitive memos or metadata, and do not expose private API keys in public client-side deployments.
What this means
A changed or compromised remote dependency could alter generated wallet-interaction pages.
Why it was flagged
Generated browser templates import wallet/transaction libraries from an external CDN at runtime. This supports the no-build UI pattern, but unpinned remote dependencies can affect transaction behavior if the dependency source changes.
Skill content
import { createPublicClient, createWalletClient, http, custom, formatEther, parseEther, getContract } from 'https://esm.sh/viem';Recommendation
Pin exact dependency versions, bundle dependencies, or use integrity-checked trusted copies before deploying a production wallet UI.