critical
suspicious.env_credential_access
- Location
- src/index.js:7
- Finding
- Environment variable access combined with network send.
Real-time Crypto Price API
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
If you provide a PRISM API key, it will be sent to the configured PRISM API URL to authenticate requests.
Why it was flagged
The library can use an API key from the environment and transmit it to the configured API endpoint. This is expected for a provider-backed price API, but it is still credential handling users should notice.
Skill content
this.apiKey = apiKey || process.env.PRISM_API_KEY; ... headers['Authorization'] = `Bearer ${this.apiKey}`; ... fetch(url, { headers })Recommendation
Use a dedicated PRISM API key, keep it out of logs and shared environments, and do not set PRISM_API_URL to a host you do not trust.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Installing from npm runs code from that package when you import or invoke the CLI.
Why it was flagged
The skill documentation tells users to install an npm package, while the registry metadata does not provide a verified source. The included package manifest has no dependencies or postinstall script, so this is a provenance note rather than a concern.
Skill content
Source: unknown ... Install specifications: No install spec — this is an instruction-only skill.
Recommendation
Verify the npm package name, publisher, and version before installing, especially if using it in trading bots or dashboards.