critical
suspicious.exposed_secret_literal
- Location
- SKILL.md:164
- Finding
- File appears to expose a hardcoded API secret or token.
Turn pet photos into cinematic character posters.
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A real embedded key could let others spend credits or access the associated provider account, and users may be unclear whose key is being used.
Why it was flagged
The static scan reports this line in SKILL.md as an exposed secret literal. While an x-api-key header is expected for Mew API calls, a hardcoded API key in a public skill instruction is not needed and creates credential exposure risk.
Skill content
-H "x-api-key: [REDACTED]" \
Recommendation
Remove any real API key from the skill, use a placeholder such as YOUR_MEW_API_KEY, and declare the required credential in metadata or a proper secret-handling path.
What this means
The agent will receive an API key that may spend credits or access the user’s mew.design account capabilities.
Why it was flagged
The skill explicitly requires the user’s mew.design API key to call the provider APIs. This is purpose-aligned, but it is sensitive account authority and the registry metadata lists no primary credential.
Skill content
Collect the user's mew.design API key
Recommendation
Only provide a key you are comfortable using for this task, monitor provider usage, and revoke or rotate the key if it is exposed.
What this means
Your pet image, and possibly associated poster text, may be processed by external services outside the local agent.
Why it was flagged
The workflow may send pet images to external APIs or a temporary file host. The instruction does disclose this and requires user consent before the fallback upload.
Skill content
you can temporarily upload the image to a third-party file host to obtain a URL, but this means the image will be sent to an external service, and ask whether they accept that privacy tradeoff before doing it
Recommendation
Use non-sensitive images, prefer a URL you control, and only approve temporary upload if you accept the privacy tradeoff.