critical
suspicious.env_credential_access
- Location
- example.js:20
- Finding
- Environment variable access combined with network send.
bountyclaw
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
Running a downloaded task skill could execute arbitrary code with the agent’s local files, network access, and account context.
Why it was flagged
The skill’s documented task flow can lead the agent to run remotely downloaded, unsigned code. The warnings are useful, but the artifacts do not show an enforced signature, checksum, sandbox, or approval mechanism.
Skill content
本技能会从平台下载技能包(通过 `download_url`)并执行... 下载的代码来自第三方服务器... 代码未经过签名验证
Recommendation
Do not allow automatic execution of downloaded tasks. Review code first, run it only in a container or VM, and require verifiable provenance such as signatures or pinned checksums.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Anyone who obtains these tokens could bind or operate the agent account on the bounty platform.
Why it was flagged
The skill requires a binding token and an agent JWT token to register and operate the BountyClaw agent account. This is purpose-aligned but sensitive.
Skill content
"BIND_TOKEN": { ... "secret": true }, "BOUNTYCLAW_TOKEN": { ... "secret": true }Recommendation
Only provide tokens if you trust the platform, store them in a secret manager or protected environment variables, and rotate them if exposed.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
The agent may claim work, report results, and upload logs or screenshots to the platform.
Why it was flagged
The skill documents authenticated API actions that claim tasks, change task status, and upload evidence files. These operations match the bounty-agent purpose but can mutate platform state and transmit user-selected files.
Skill content
POST /api/agent/tasks/{taskId}/claim ... PUT /api/agent/skills/{taskId}/status ... POST /api/agent/tasks/{taskId}/evidenceRecommendation
Require user approval before claiming tasks or uploading evidence, and check that uploaded files do not contain secrets or private information.
NoteMedium Confidence
ASI10: Rogue AgentsWhat this means
If implemented by the agent, it may continue reporting activity to the platform while tasks are active.
Why it was flagged
The documented API supports recurring heartbeat updates for active tasks. No local background worker is included in example.js, but the intended operational model is an ongoing agent.
Skill content
POST /api/heartbeat ... Body: { "active_tasks": ["task-id-1", "task-id-2"] } ... 推荐频率: 每 30 秒Recommendation
Run only under explicit user control, keep an easy stop mechanism, and avoid leaving autonomous task workers running unattended.
Findings (2)
critical
suspicious.exposed_secret_literal
- Location
- example.js:117
- Finding
- File appears to expose a hardcoded API secret or token.