critical
suspicious.exposed_secret_literal
- Location
- EXAMPLES.md:235
- Finding
- File appears to expose a hardcoded API secret or token.
Sovereign Security Auditor
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If you point the agent at a repository containing production secrets, those secrets may be read during the audit.
Why it was flagged
The skill explicitly directs the agent to inspect files that can contain real credentials or account secrets. This is expected for secrets detection, but it is sensitive access.
Skill content
Configuration -- Look for `.env`, config files, hardcoded values
Recommendation
Use the skill only on code you are authorized to review, scope the files or repository clearly, and prefer test/redacted secrets where possible.
What this means
Audit output could reveal credential values to anyone who can see the agent conversation or report.
Why it was flagged
The example report style reproduces secret values. If applied to real code, full secrets could end up in chat history, logs, or shared audit reports.
Skill content
Credentials Found: 1. Database password: `Sup3rS3cret!Pr0d@2024` ... 6. JWT signing secret: `my-jwt-secret-do-not-share`
Recommendation
Ask the agent to mask secrets in findings, such as showing only the secret type, file location, and a short fingerprint, and rotate any real secrets found in code.