critical
suspicious.env_credential_access
- Location
- index.js:3
- Finding
- Environment variable access combined with network send.
Crypto News
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
The agent can make BlockBeats API requests using the configured API key when this skill is invoked.
Why it was flagged
The skill uses a provider API key from the environment and sends it to the BlockBeats API endpoint for authentication. This is disclosed and purpose-aligned, but users should recognize that the agent can use that configured credential.
Skill content
const apiKey = process.env.BLOCKBEATS_API_KEY; ... headers: { 'Authorization': `Bearer ${apiKey}` }Recommendation
Use a revocable, least-privilege BlockBeats API key if available, and only configure the key if you are comfortable with this skill querying that service.