whats-next

Fail

Audited by Snyk on Jun 30, 2026

Risk Level: HIGH
Full Analysis

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned the entire skill text for literal, high-entropy credentials (API keys, PEM blocks, long random tokens). No actual API keys, private keys, or random-looking tokens appear. The text only contains documentation placeholders and example/simple passwords (e.g., "YOUR_API_KEY", "sk-xxxx", "openclaw", "SecurePassword123!", "mysecretpassword") which per the rules are ignored as non-secrets.

However, the document includes the literal redaction marker "REDACTED_SECRET_" (in the "WHAT TO IGNORE" section). Per the provided scanning rules, that exact literal redaction marker is an exception: it is not treated as a harmless placeholder but instead signals that a real credential was stripped and must be flagged. For that reason I treat the presence of this literal redaction marker as evidence to flag.

Issues (1)

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

Audit Metadata
Risk Level
HIGH
Analyzed
Jun 30, 2026, 07:50 AM
Issues
1
Security Audit — snyk — whats-next