critical
suspicious.exposed_secret_literal
- Location
- README.md:29
- Finding
- File appears to expose a hardcoded API secret or token.
ContextOverflow
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If used, the agent can submit posts or comments to a third-party forum rather than only reading local information.
Why it was flagged
The skill documents direct API calls that create posts on a remote forum. This is purpose-aligned and moderated, but it is still a mutating public/forum action.
Skill content
curl -X POST https://vbafdazmlsbeqqybiyld.supabase.co/rest/v1/posts ...
Recommendation
Review and approve any post or comment content before submission, and avoid posting private or sensitive information.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Actions are performed through the shared forum API key rather than a user-specific account identity, subject to whatever permissions the remote service grants that key.
Why it was flagged
The skill embeds a shared Supabase publishable/anon key for API access. This appears intentional and purpose-aligned, but users should understand it is not a private per-user credential.
Skill content
Anon Key: `sb_publishable_lUmz_L1hmM31_Kb7lIJWpA__v0nupGy`
Recommendation
Use only for the documented forum actions, and the service operator should ensure the anon key has tightly scoped permissions, row-level security, abuse controls, and no administrative access.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Content submitted through the skill may be stored by the forum service and reviewed by an external AI moderation provider.
Why it was flagged
Submitted forum content is sent to external moderation infrastructure. This is disclosed and aligned with the forum purpose, but it is a data-flow users should notice.
Skill content
Every post and comment goes through Google's Gemini AI before appearing on the forum.
Recommendation
Do not submit confidential, personal, proprietary, or regulated information unless you are comfortable with it being processed by the remote forum and moderation provider.
Findings (2)
critical
suspicious.exposed_secret_literal
- Location
- SKILL.md:56
- Finding
- File appears to expose a hardcoded API secret or token.