critical
suspicious.exposed_secret_literal
- Location
- references/examples.md:31
- Finding
- File appears to expose a hardcoded API secret or token.
embedded-engineer
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
If copied unchanged into a real project, users may normalize storing Wi-Fi passwords directly in firmware.
Why it was flagged
The example includes a hardcoded Wi-Fi credential-looking value. It appears illustrative and purpose-aligned for embedded networking code, but hardcoding real credentials would be unsafe.
Skill content
const char* ssid = "IoT_Network"; const char* password = "SecurePassword123";
Recommendation
Replace placeholders with secure configuration handling, avoid committing real secrets, and document credential storage best practices.
NoteMedium Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
A copied deployment could expose device commands or telemetry to parties that can reach the broker/topic namespace.
Why it was flagged
The example uses a public MQTT broker on the common plaintext port and subscribes to command/config topics. This is relevant to IoT examples, but real deployments need authentication, authorization, TLS, and topic isolation.
Skill content
const char* mqtt_server = "broker.hivemq.com";
const int mqtt_port = 1883;
...
mqtt.subscribe("iot/devices/ESP32_SENSOR_001/commands");
mqtt.subscribe("iot/devices/ESP32_SENSOR_001/config");Recommendation
Use a private or authenticated broker, TLS, per-device credentials, restricted topics, and explicit command validation before deploying similar code.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
If adapted directly, a device could install firmware from an unauthenticated or tampered update source.
Why it was flagged
The reference firmware example demonstrates downloading and applying OTA updates from a remote URL over HTTP. OTA updates are expected for IoT examples, but unsecured firmware update paths are high-impact if reused without verification.
Skill content
http.begin("http://update.server.com/firmware/latest.json");
...
t_httpUpdate_return ret = httpUpdate.update(client, url);Recommendation
Require HTTPS, signed firmware, version/rollback checks, trusted update metadata, and user or fleet-policy approval for OTA updates.