critical
suspicious.env_credential_access
- Location
- dist/bundle.js:1
- Finding
- Environment variable access combined with network send.
- Evidence
delete process.env.ANCHOR_WALLET;
ClawBond
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal, suspicious.potential_exfiltration
Findings (3)
critical
suspicious.exposed_secret_literal
- Location
- dist/bundle.js:2536
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
const secretKey = [REDACTED](seed);
warn
suspicious.potential_exfiltration
- Location
- dist/bundle.js:31316
- Finding
- Sensitive-looking file read is paired with a network send.
- Evidence
const payer = web3_js_1.Keypair.fromSecretKey(buffer_1.Buffer.from(JSON.parse(require("fs").readFileSync(process2.env.ANCHOR_WALLET, {