critical
suspicious.env_credential_access
- Location
- scripts/source.js:11
- Finding
- Environment variable access combined with network send.
Skill Dropshipping Sourcing
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
The skill can use your CJ API key and access token to query CJ services, and those credentials are stored in a local JSON file.
Why it was flagged
The skill requires local CJ API credentials and a configurable API base URL. This is disclosed and aligned with the CJ integration, but it is sensitive account authority.
Skill content
Config: `./cj-api.json` - `apiKey`, `baseUrl`, `accessToken`, `tokenExpiry`
Recommendation
Use a CJ key intended for this workflow, keep cj-api.json private, and confirm baseUrl points to the legitimate CJ API endpoint before running the scripts.
What this means
The skill may not run until Node.js and axios are available, and users must ensure any manually installed dependency comes from a trusted source.
Why it was flagged
The scripts depend on axios, while the supplied metadata says there is no install spec and no required binaries. This is an undeclared dependency gap rather than evidence of malicious behavior.
Skill content
const axios = require('axios');Recommendation
Install dependencies from trusted package sources, prefer pinned versions, and consider adding an explicit install specification or package manifest.
Findings (2)
critical
suspicious.env_credential_access
- Location
- scripts/token.js:10
- Finding
- Environment variable access combined with network send.