critical
suspicious.exposed_secret_literal
- Location
- bridge.js:469
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
...(includePrivateKey && signer?.privateKey ? { privateKey: [REDACTED] } : {}),
Agentbox Skills
AdvisoryAudited by Static analysis on May 16, 2026.
Overview
Detected: suspicious.exposed_secret_literal, suspicious.potential_exfiltration
Findings (4)
critical
suspicious.exposed_secret_literal
- Location
- runtime/clients.js:158
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
private_key: [REDACTED],
critical
suspicious.exposed_secret_literal
- Location
- runtime/player-runtime.js:655
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
privateKey: [REDACTED],
warn
suspicious.potential_exfiltration
- Location
- bridge.js:283
- Finding
- Sensitive-looking file read is paired with a network send.
- Evidence
rawTranscript = await fs.readFile(entry.sessionFile, "utf8");