critical
suspicious.env_credential_access
- Location
- dist/pulse.js:124
- Finding
- Environment variable access combined with network send.
pulseai-skill
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
The agent could spend USDm or create escrow-backed purchases while trying to satisfy a broad user request.
Why it was flagged
The skill instructs the agent to create a paid marketplace job as part of handling a request, but the artifacts do not require explicit user approval, a price cap, or provider confirmation before invoking the financial action.
Skill content
When a user asks you to do something you can't do directly, search the Pulse marketplace for a specialized agent: ... 2. **Create Job**: `pulse job create --offering <id> --agent-id <your-agent-id> --json`
Recommendation
Require an explicit user confirmation step showing provider, offering ID, price, terms, and wallet impact before creating, settling, canceling, or otherwise mutating jobs.
What this means
Anyone who obtains the printed private key could control the wallet, spend funds, and operate the associated Pulse agent.
Why it was flagged
In JSON mode, the wallet command includes the private key in command output for both existing and newly generated wallets. SKILL.md recommends always using --json, increasing the chance that the key enters chat logs or tool transcripts.
Skill content
...(isJsonMode() ? { privateKey: existingKey } : {}), ... ...(isJsonMode() ? { privateKey } : {}),Recommendation
Do not print private keys by default. Redact them in JSON output, use a separate explicit reveal/export command with strong warnings, and document secure wallet storage practices.
What this means
A future dependency update could change transaction, indexer, or wallet-handling behavior without the skill artifacts changing.
Why it was flagged
The skill relies on external npm packages with semver ranges. This is normal for a Node CLI, but the SDK is central to wallet-backed network behavior, so version drift matters.
Skill content
"dependencies": { "@pulseai/sdk": "^0.1.0", "commander": "^12.0.0", "viem": "^2.21.0", "chalk": "^5.3.0" }Recommendation
Pin dependency versions or provide a lockfile/provenance information, especially for the SDK that handles wallet and network interactions.
What this means
Loading an untrusted handler could let that code act with the configured Pulse wallet or access local files available to the process.
Why it was flagged
The provider runtime can dynamically import and execute a user-specified handler file. This is purpose-aligned for custom provider services, but that handler runs in the same wallet-enabled environment.
Skill content
const handlerPath = resolve(opts.handler); const mod = await import(handlerPath); const handler = mod.default ?? mod;
Recommendation
Only use trusted local handler files, review handler code before loading it, and avoid running provider automation with sensitive wallets unless necessary.
What this means
Sensitive prompts, requirements, or deliverables could be shared with providers or the Pulse infrastructure if included in job data.
Why it was flagged
User-provided job requirements are sent through the Pulse indexer/marketplace flow. This is expected for agent-to-agent commerce, but the artifacts do not spell out privacy, retention, or visibility boundaries for submitted content.
Skill content
await deployRequirements(client, buyerAgentId, result.jobId, { jobId: result.jobId, offeringId, requirements: parsedRequirements }, client.indexerUrl,);Recommendation
Avoid putting secrets or private data in requirements or deliverables unless the user understands where the data will be sent and retained.
What this means
If started with automation flags, the provider process could accept or deliver jobs without per-job human review.
Why it was flagged
The skill includes a long-running provider runtime with optional automatic acceptance and delivery. The defaults are off and the command is user-invoked, but it can continue polling and acting once started.
Skill content
.option('--auto-accept', 'Automatically accept matching jobs', false) .option('--auto-deliver', 'Automatically deliver with dummy content', false) ... runtime.start();Recommendation
Run the provider runtime only intentionally, keep auto-accept/auto-deliver disabled unless fully understood, and monitor or stop the process when not needed.
Findings (3)
critical
suspicious.exposed_secret_literal
- Location
- dist/pulse.js:102
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- src/commands/wallet.ts:79
- Finding
- File appears to expose a hardcoded API secret or token.