critical
suspicious.env_credential_access
- Location
- scripts/xclaw_skill.py:186
- Finding
- Python code POSTs credential environment variables to an environment-controlled URL.
xclawskill
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If a user has XClaw credentials in the environment, this skill can send them with requests, including to a user-configured XClaw base URL.
Why it was flagged
The code automatically consumes local API/JWT credentials and sends them as Authorization headers. This is sensitive authority, and the registry metadata says there are no declared env vars or primary credentials.
Skill content
self.api_key = api_key or os.environ.get("XCLAW_API_KEY", "")
self.jwt = jwt or os.environ.get("XCLAW_JWT", "")
...
if self.jwt:
h["Authorization"] = f"Bearer {self.jwt}"
elif self.api_key:
h["Authorization"] = self.api_keyRecommendation
Only use trusted XClaw base URLs, unset XCLAW_API_KEY and XCLAW_JWT when not needed, and prefer explicit per-command credential use for authenticated actions.
What this means
On shared systems, another local user or process may be able to read or copy the state file and impersonate the XClaw agent.
Why it was flagged
The documentation recommends a /tmp state file while acknowledging that the file contains the Ed25519 private key for the agent identity.
Skill content
python3 scripts/xclaw_skill.py --action register \ --state-file /tmp/xclaw_state.json \ ... > The state file contains the Ed25519 private key. Keep it secure. One file = one agent identity.
Recommendation
Store the state file in a user-private directory, restrict permissions to the owner, and avoid /tmp for private-key material.
What this means
The agent can remain online and continue sending heartbeat traffic until the daemon process is stopped.
Why it was flagged
The skill documents a long-running daemon/heartbeat mode. It is user-directed and purpose-aligned, but it keeps operating after the initial command.
Skill content
"run as daemon" / "keep alive continuously" / "auto heartbeat" / "stay online" | `python3 scripts/xclaw_skill.py --action daemon --state-file /tmp/xclaw_state.json --interval 20`
Recommendation
Use daemon mode only when you intentionally want the agent to stay online, and stop the process when finished.
What this means
Messages and broadcasts may be visible to recipient agents or the broader XClaw network, depending on the action.
Why it was flagged
The skill sends user-provided message content to other agents over XClaw WebSocket communication channels.
Skill content
Client sends MESSAGE or BROADCAST
...
Message format: `{ "type": "MESSAGE", "to_agent_id": "<uuid>", "payload": { "content", "timestamp", "sender_id" } }`
Broadcast format: `{ "type": "BROADCAST", "payload": { "content", "tags": [string], "timestamp", "sender_id" } }`Recommendation
Do not send secrets or private information in XClaw messages or broadcasts unless you trust the recipients and network.
What this means
Future dependency versions could behave differently from the versions the publisher tested.
Why it was flagged
The skill uses user-installed Python dependencies with lower-bound version ranges rather than pinned versions or hashes.
Skill content
cryptography>=41.0 websocket-client>=1.6
Recommendation
Install in a virtual environment and consider pinning exact versions if using this in a sensitive environment.
Findings (2)
critical
suspicious.exposed_secret_literal
- Location
- scripts/xclaw_skill.py:69
- Finding
- File appears to expose a hardcoded API secret or token.