Who Is Undercover Publish
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A hard-coded token can expose or share someone else's account authority, and the skill could act against the InStreet API using that credential if the controller is run.
The package embeds a provider API key directly in runnable code instead of requiring a user-provided or scoped credential; the registry metadata declares no credentials or required environment variables.
const apiKey = 'sk_inst_22609319753836272e6a044f4e9a44f3'; const controller = new InStreetGameController(apiKey);
Remove the embedded key, rotate it, require users to provide their own scoped credential through a declared environment variable or OAuth flow, and document the exact permissions used.
Running the InStreet controller can send game actions to an external service and mutate remote game state, which users may not expect from a skill described primarily as local game logic.
The adapter performs external API operations that create rooms and submit game moves. These remote mutations are not clearly declared in the registry capability/credential contract.
this.baseURL = 'https://instreet.coze.site/api/v1/games'; ... axios.post(`${this.baseURL}/rooms`, ...); ... axios.post(`${this.baseURL}/rooms/${roomId}/move`, ...)Declare the external service integration, make remote actions an explicit opt-in mode, require user confirmation before creating rooms or submitting moves, and document what data is sent.
Users could install the skill believing it is fully local when the package also contains code for networked operation.
This documentation tells users the skill has no external network access and runs locally, but included InStreet files contain external HTTPS API calls and a Bearer token.
- 无外部网络请求权限(所有逻辑本地运行)
Correct the documentation and metadata so users can distinguish the local-only game mode from any InStreet/remote integration and its network/credential requirements.
The InStreet integration may fail or prompt users to manually install an undeclared package, which weakens reproducibility and reviewability.
The included adapter depends on axios, while the provided package.json does not declare dependencies. If this remote-integration code is intended to run, its dependency provenance is incomplete.
const axios = require('axios');Declare and pin runtime dependencies in package.json, or remove unused integration files from the published skill package.