critical
suspicious.exposed_secret_literal
- Location
- scripts/acceptance_rate_analysis.py:47
- Finding
- File appears to expose a hardcoded API secret or token.
my_acceptance_rate_analysis
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Anyone who can access or run the skill may reuse the embedded DataWorks credential, and the agent may query business data under unclear account privileges.
Why it was flagged
The code contains and uses a fallback access token as an authentication cookie for DataWorks queries, meaning the skill can operate under an embedded account instead of a user-supplied, scoped credential.
Skill content
DEFAULT_ACCESS_TOKEN = os.getenv("BIGDATA_ACCESS_TOKEN", "manage-[redacted]") ... headers={"Cookie": f"bigdata_access_token={access_token or DEFAULT_ACCESS_TOKEN}"}Recommendation
Remove and rotate the embedded token, require a user-provided BIGDATA_ACCESS_TOKEN secret, declare the credential requirement in metadata, and restrict the allowed API host.
ConcernHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Sensitive business metrics, slices, and query results may remain in local debug logs after the analysis, where they could be read later or included in backups.
Why it was flagged
Raw SQL metadata and query result rows are logged by default unless DATAWORKS_QUERY_LOG is disabled, creating persistent local copies of retrieved business data.
Skill content
# 默认写入调试文件 ... if os.getenv("DATAWORKS_QUERY_LOG", "1") ... logger.info("[query_metric_data] 响应原始数据 {}", json.dumps({"sql": data.get("sql"), "column_head_list": column_head_list, "data_list": data_list, "rows": _map_response_rows(...)}, ...))Recommendation
Disable raw response logging by default, redact sensitive fields, document the log location and retention policy, and require explicit user opt-in for debug logs.