critical
suspicious.exposed_secret_literal
- Location
- references/examples.md:434
- Finding
- File appears to expose a hardcoded API secret or token.
fintech-specialist
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If adapted carelessly, the example code could interact with real payment systems or financial records.
Why it was flagged
The reference material demonstrates payment API integration and payment-processing logic. This is aligned with a fintech specialist skill, but these patterns are high-impact if a user copies and runs them with live credentials.
Skill content
const stripe = new Stripe(config.stripe.secretKey, ...); ... async processPayment(request: any)
Recommendation
Use examples only with test credentials and explicit human review before any production payment, transfer, or account mutation.
ConcernMedium Confidence
ASI03: Identity and Privilege AbuseWhat this means
If the redacted value is a real secret, anyone with the skill package could misuse or leak access to an associated service or account.
Why it was flagged
The static scan reports this as a hardcoded API secret or token. A reference-only fintech skill should not include real credential material, and the metadata declares no required credentials.
Skill content
clientSecret: [REDACTED],
Recommendation
Inspect references/examples.md before installing or sharing, remove any real secrets, rotate/revoke exposed credentials, and replace literals with environment-variable placeholders.