pancake-skills

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernHigh Confidence

ASI02: Tool Misuse and Exploitation

What this means

If a user token is available, the agent could create or refresh a page access token without the user setting CONFIRM_WRITE=YES for that action.

Why it was flagged

This POST operation generates or refreshes a page access token but does not call confirm_write, unlike other visible write commands. That bypasses the documented write-safety model for a high-impact credential action.

Skill content

pages-generate-token)
    require_env USER_ACCESS_TOKEN
    page_id="${1:?PAGE_ID required}"
    pancake_request_user POST "/api/v1/pages/${page_id}/generate_page_access_token"
    ;;

Recommendation

Add confirm_write before pages-generate-token, and treat token generation as a privileged write operation requiring explicit user approval.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

Anyone or any agent process with these tokens can access and modify Pancake page/customer/message data within the token's permissions.

Why it was flagged

The skill needs personal and page-level Pancake tokens, including a non-expiring page token. This is purpose-aligned, but it is broad account authority and the registry metadata declares no primary credential or required env vars.

Skill content

`USER_ACCESS_TOKEN`: Token cá nhân... Có hiệu lực 90 ngày.

`PAGE_ACCESS_TOKEN`: Token của page... Không hết hạn trừ khi xóa/renew.

Recommendation

Use the least-privileged Pancake tokens available, avoid sharing them broadly, rotate page tokens when no longer needed, and update metadata to declare the credential requirements.

ConcernMedium Confidence

ASI05: Unexpected Code Execution

What this means

Unusual or attacker-influenced token/date values could cause local code execution when the script URL-encodes them.

Why it was flagged

The helper interpolates an input string directly into Python source code. A crafted value containing a quote could break out of the string and execute unintended Python code under the user's account.

Skill content

url_encode() {
  python3 -c "import urllib.parse; print(urllib.parse.quote('$1', safe=''))"
}

Recommendation

Rewrite url_encode to pass data as an argument or stdin, for example `python3 -c 'import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1], safe=""))' "$1"`.