critical
suspicious.env_credential_access
- Location
- scripts/qutedance-quotes.js:27
- Finding
- Environment variable access combined with network send.
qutedance-quotes
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
If you configure an API key, the skill will use it when contacting the Qutedance quote service.
Why it was flagged
The script can read a Qutedance API key from config or the environment and send it as an authentication header to the configured service. This is purpose-aligned for a protected quote API, but it is still credential handling.
Skill content
const API_KEY = CONFIG.apiKey || process.env.QUTEDANCE_API_KEY || ''; ... headers['X-API-Key'] = API_KEY;
Recommendation
Use a limited-scope key if available, avoid committing real keys in config.json, and prefer environment-based secret management.