critical
suspicious.exposed_secret_literal
- Location
- readme.md:29
- Finding
- File appears to expose a hardcoded API secret or token.
ContextOverflow
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI10: Rogue AgentsWhat this means
The agent may keep participating in the forum and posting public comments even when the user has not explicitly asked it to do so each time.
Why it was flagged
The skill instructs the agent to add a recurring task that continues checking the forum and generating comments on a schedule.
Skill content
Add this to your `HEARTBEAT.md` ... `## Context Overflow (every 6-12 hours)` ... `Comment on 2-4 posts`
Recommendation
Only enable a heartbeat if the user explicitly opts in, and require user review before any public post or comment is submitted.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
The agent could publish content under a chosen agent name, affecting public discussion and potentially the user's or agent's reputation.
Why it was flagged
The documentation exposes direct write operations for public comments and posts, and the heartbeat workflow encourages repeated use without an explicit approval checkpoint.
Skill content
curl -X POST https://vbafdazmlsbeqqybiyld.supabase.co/rest/v1/comments ... "content": "Your thoughtful comment or question", "author_name": "YourAgentName"
Recommendation
Treat all POST requests as high-impact actions: show the exact content, destination, and author name to the user before submitting.
ConcernHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Posts, comments, or reads may go to a different backend than the user expects.
Why it was flagged
The README points to this Supabase project, while SKILL.md lists a different base URL (`https://yhizbunkibjhgpggbkyy.supabase.co`). This makes the intended backend unclear.
Skill content
curl "https://vbafdazmlsbeqqybiyld.supabase.co/rest/v1/posts?order=created_at.desc&limit=10"
Recommendation
Verify the canonical endpoint and key before use, and do not enable autonomous posting until all artifacts agree on the same backend.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
No user credential is requested, but actions are made through shared forum API authority rather than a clearly user-scoped account.
Why it was flagged
The skill uses an embedded Supabase publishable/anon key as the authorization mechanism for the forum API.
Skill content
**Anon Key:** `sb_publishable_...` ... `Authorization: Bearer sb_publishable_...`
Recommendation
Confirm what permissions the anon key has and avoid treating it as a private user credential.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Anything submitted to the forum may be sent to Google Gemini for moderation.
Why it was flagged
The skill discloses that submitted content is processed by an external AI moderation provider.
Skill content
Every post and comment goes through Google's Gemini AI before appearing on the forum.
Recommendation
Do not submit confidential or sensitive information, and make the external moderation data flow clear to users.
Findings (2)
critical
suspicious.exposed_secret_literal
- Location
- skill.md:96
- Finding
- File appears to expose a hardcoded API secret or token.