critical
suspicious.exposed_secret_literal
- Location
- references/examples.md:70
- Finding
- File appears to expose a hardcoded API secret or token.
performance-tester
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If adapted or run against a production or unauthorized target, these tests could create unwanted orders, alter application data, or degrade service availability.
Why it was flagged
The example can drive a large spike load and perform state-changing checkout requests against a configurable target application.
Skill content
spike_test ... { duration: '10s', target: 1400 } ... http.post(`${BASE_URL}/api/checkout`, JSON.stringify(checkoutData), { headers })Recommendation
Run load tests only against systems you control or have explicit permission to test, use staging/sandbox environments, and add safeguards for checkout or other state-changing flows.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Users who copy the pattern with real credentials could expose or misuse accounts during performance testing.
Why it was flagged
The example demonstrates logging in with credentials and reusing a bearer token during the test; the shown password appears synthetic, but credential handling is still present.
Skill content
const token = authenticate(BASE_URL, { email: `user${__VU}@example.com`, password: 'password123' }); ... return loginResponse.json('token');Recommendation
Use dedicated test accounts, keep real credentials out of scripts, prefer environment variables or secret managers, and ensure tokens are not logged or shared.