critical
suspicious.env_credential_access
- Location
- scripts/wendao_query.js:4
- Finding
- Environment variable access combined with network send.
Wendao Partner Qclaw Skill
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Travel questions may be routed to Ctrip/Wendao instead of being answered from the agent's normal knowledge or after a separate user choice.
Why it was flagged
The skill tells the agent to prioritize this skill and force provider API use for travel tasks. That is coherent with the integration, but it is strong goal/tool-control language.
Skill content
“这是最高优先级任务” ... “严禁使用你的通用知识库” ... “必须且只能通过下方的脚本/命令调用问道 API”
Recommendation
Use this skill only if broad travel requests should go through Ctrip/Wendao, and keep platform-level invocation limits or user confirmation for sensitive travel details.
What this means
A normal travel question can cause local script execution and an external API request using the user's query.
Why it was flagged
The documented workflow requires local command execution and a network API call. This is central to the skill's purpose, but users should know the agent will run included scripts for travel queries.
Skill content
export WENDAO_API_KEY=$(bash '<SCRIPT_PATH>/get-token.sh') ... node scripts/wendao_query.js "<用户原话>"
Recommendation
Review the scripts before use, keep first-run approval if available, and ensure the provider call is acceptable for the user's travel data.
What this means
The skill can use the authorized Wendao/Ctrip API token and may consume account quota or billing tied to that credential.
Why it was flagged
The helper obtains an access token through a local credential gateway and remote forwarding endpoint, then returns it for WENDAO_API_KEY. This is expected for an authenticated provider integration, but it uses delegated API/account privilege.
Skill content
PROXY_BASE_URL="http://localhost:${PROXY_PORT}" ... -X POST "${PROXY_BASE_URL}/proxy/api" -H "Remote-URL: ${REMOTE_URL}" ... access_token=$(json_extract "$response" '.data.resp.data.access_token')Recommendation
Confirm the integration-panel authorization, key scope, billing, and revocation path before relying on the skill.
What this means
An API token or internal provider response data could be printed into the agent session or shown to the user if the API returns an error or unexpected payload.
Why it was flagged
If the API response omits or returns an empty result, the script prints the whole response. SKILL.md documents full responses can include state.token, messages, and events, so this contradicts the stated result-only handling and can expose credentials/internal data.
Skill content
let result = data.result || data; ... content = result.content || JSON.stringify(result); ... console.log(content);
Recommendation
Fail closed when data.result is missing, never stringify the full response, and explicitly redact token, state, messages, and events before any logging or display.
What this means
Windows users may hit a broken setup path or be pushed to manual token handling, and dependency expectations are not fully captured in metadata.
Why it was flagged
The setup documentation references a PowerShell credential helper, but the provided file set contains get-token.sh and no get-token.ps1; the registry metadata also declares no required binaries despite Node/curl usage.
Skill content
Windows (PowerShell) ... get-token.ps1
Recommendation
Include the referenced PowerShell helper or remove that workflow, and declare Node.js/curl and credential requirements in the registry metadata.