Pinclaw

AdvisoryAudited by Static analysis on May 19, 2026.

Overview

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Findings (5)

critical

suspicious.env_credential_access

Location: dist/src/core/ws-handler.js:56
Finding: Environment variable access combined with network send.
Evidence: const iaKey = process.env.INTERACTIVE_AI_KEY || process.env.AI_API_KEY || "";

critical

suspicious.env_credential_access

Location: dist/src/tools/generate-audio.js:12
Finding: Environment variable access combined with network send.
Evidence: const relayToken = process.env.PINCLAW_RELAY_TOKEN;

critical

suspicious.env_credential_access

Location: dist/src/tools/generate-image.js:12
Finding: Environment variable access combined with network send.
Evidence: const relayToken = process.env.PINCLAW_RELAY_TOKEN;

critical

suspicious.exposed_secret_literal

Location: dist/src/channel.js:149
Finding: File appears to expose a hardcoded API secret or token.
Evidence: authToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/src/cli-auth.js:62
Finding: File appears to expose a hardcoded API secret or token.
Evidence: apikey: [REDACTED]