critical
suspicious.exposed_secret_literal
- Location
- scripts/acceptance_rate_analysis.py:47
- Finding
- File appears to expose a hardcoded API secret or token.
my_acceptance_rate_analysis
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Anyone running the skill may use a shared embedded DataWorks credential, which can expose internal metric access and blur accountability for queries.
Why it was flagged
The skill falls back to an embedded access token and sends it as a DataWorks session cookie, despite the registry declaring no primary credential or required environment variable.
Skill content
DEFAULT_ACCESS_TOKEN = os.getenv("BIGDATA_ACCESS_TOKEN", "manage-…") ... headers={"Cookie": f"bigdata_access_token={access_token or DEFAULT_ACCESS_TOKEN}"}Recommendation
Remove and rotate the embedded token, require a user-provided least-privilege credential such as BIGDATA_ACCESS_TOKEN, and declare that credential in the skill metadata.
What this means
Business metric results and potentially sensitive operational data may remain in local logs after the analysis finishes.
Why it was flagged
Detailed API response data, including SQL and result rows, is logged by default unless DATAWORKS_QUERY_LOG is disabled.
Skill content
if os.getenv("DATAWORKS_QUERY_LOG", "1")... logger.info("[query_metric_data] 响应原始数据 {}", json.dumps({"sql": data.get("sql"), "column_head_list": column_head_list, "data_list": data_list, "rows": _map_response_rows(...)}, ...))Recommendation
Disable raw query logging by default, redact sensitive fields, document the log location and retention behavior, and make verbose logging an explicit user opt-in.