Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
Socialcannon
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent SocialCannon API guide, but it needs social-media account credentials and can publish or manage public posts, so users should only use it with clear intent.
Install only if you trust SocialCannon and intend to let the agent help manage connected social accounts. Keep the client secret private, review posts before publishing, and explicitly confirm destructive or public actions such as publishing, scheduling, deleting, or disconnecting accounts.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If used without care, the agent could publish or schedule content on connected social accounts.
Why it was flagged
The skill documents an API call that can publish social media content. This is directly aligned with the skill’s purpose, but it is still a public, user-impacting action.
Skill content
curl -X POST https://socialcannon.app/api/v1/posts ... "content": "Hello from SocialCannon!"
Recommendation
Only authorize posting after reviewing the target account, content, media, and schedule; consider asking the agent to confirm before any publish or delete action.
What this means
Anyone or any agent session with these credentials may be able to act through the connected SocialCannon account within the granted scope.
Why it was flagged
The skill requires provider credentials and obtains bearer tokens for SocialCannon API access. This is expected for the integration, but those credentials delegate authority over connected social accounts.
Skill content
Your Client ID and Client Secret are available on the dashboard Settings page. These are the values for `SOCIALCANNON_CLIENT_ID` and `SOCIALCANNON_CLIENT_SECRET`.
Recommendation
Store credentials securely, avoid sharing logs containing tokens, use the least-privileged account setup available, and revoke or rotate credentials if they are exposed.