critical
suspicious.env_credential_access
- Location
- src/integrations/sonar.ts:225
- Finding
- Environment variable access combined with network send.
Deal Works Mcp
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
An agent with this skill could move funds, lock funds in escrow, cash out, or change the state of business deals if it receives or infers the right instruction.
Why it was flagged
These are high-impact financial and deal-lifecycle mutations exposed as agent tools. The artifacts disclose them, but do not show built-in confirmations, amount ceilings, or rollback controls for these actions.
Skill content
`fund_transfer` - Transfer funds between wallets; `fund_cashout` - Cash out to external wallet; `deal_action` - Perform deal actions (sign, approve, reject, etc.)
Recommendation
Use only with a tightly scoped API key, require explicit user confirmation for every financial or legal mutation, and review all tool calls before approval.
ConcernHigh Confidence
ASI10: Rogue AgentsWhat this means
A deployed agent could continue operating after the immediate chat task and consume funds or act on delegated permissions.
Why it was flagged
The skill can create and fund autonomous agents through an external service. The artifacts do not clearly bound agent lifetime, permissions, delegation scope, or maximum budget.
Skill content
description: "Deploy a new agent from a skill definition. Optionally fund and configure SLA." ... fundingAmount ... return client.fetch("cadre", "/agents", { method: "POST", body: input,Recommendation
Deploy agents only after explicit approval, set small budgets and clear stop conditions, and verify that deal.works provides revocation, audit logs, and spending limits.
ConcernMedium Confidence
ASI03: Identity and Privilege AbuseWhat this means
If you have a Perplexity API key in the environment, the package may use it in ways that are not obvious from the main skill requirements.
Why it was flagged
The static scan reports this environment credential access combined with a network send. The registry requirements list DEAL_WORKS_API_KEY as the required credential, so PERPLEXITY_API_KEY use is not clearly declared or bounded in the supplied metadata.
Skill content
const apiKey = config?.apiKey ?? process.env.PERPLEXITY_API_KEY;
Recommendation
Do not run the skill in an environment containing unrelated API keys unless you intend the skill to use them; the publisher should declare optional credentials and describe when they are sent.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Anyone or any agent using this key through the skill may be able to perform powerful account actions depending on server-side scopes.
Why it was flagged
The primary deal.works credential is expected for this integration, but it is sent as a bearer token for calls across the platform's engines, including engines that can mutate funds, deals, marketplace listings, and agents.
Skill content
this.apiKey = config.apiKey ?? process.env.DEAL_WORKS_API_KEY; ... headers["Authorization"] = `Bearer ${this.apiKey}`;Recommendation
Use the least-privileged deal.works API key available, rotate it if exposed, and avoid sharing it with unrelated MCP servers or agents.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Copying the wrong command could install or run an unintended package.
Why it was flagged
The README uses two different npm package scopes in install/config examples. That may be a documentation typo, but it could lead users to invoke a different package than the one in the install spec.
Skill content
npx @swgoettelman/deal-works-mcp ... "args": ["@goettelman/deal-works-mcp"]
Recommendation
Verify the npm package name and publisher before installation; the maintainer should make the package scope consistent across all docs and config examples.