critical
suspicious.env_credential_access
- Location
- dist/cli.js:1047
- Finding
- Environment variable access combined with network send.
ClawVoice
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal, suspicious.prompt_injection_instructions
Findings (4)
critical
suspicious.env_credential_access
- Location
- dist/index.js:474
- Finding
- Environment variable access combined with network send.
critical
suspicious.exposed_secret_literal
- Location
- dist/services/clawvoice.js:102
- Finding
- File appears to expose a hardcoded API secret or token.
warn
suspicious.prompt_injection_instructions
- Location
- README.md:169
- Finding
- Prompt-injection style instruction pattern detected.