migrate-nanoclaw

Fail

Audited by Snyk on Jun 24, 2026

Risk Level: CRITICAL
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill instructs sub-agents to extract verbatim code snippets, API calls and "specific values" from the repo (and to include them in the migration guide), which would force the LLM to reproduce any hard-coded secrets or API keys found in files and therefore creates an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 0.90). The skill includes built-in telemetry that writes a diagnostics JSON and instructs (by default) to POST it to an external PostHog endpoint using a hard-coded API key — this is a data-exfiltration / credential exposure pattern (even if the doc asks for user consent), and thus a high-risk behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). This skill explicitly refreshes its own runtime instructions by fetching and checking out upstream content from the GitHub remote (https://github.com/nanocoai/nanoclaw.git), then re-reads and follows the updated .claude/skills/migrate-nanoclaw/SKILL.md at runtime, so remote content can directly control agent prompts/behavior.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned the skill for literal, high-entropy credential-like values. The diagnostics JSON includes the field:

"api_key": "phc_fx1Hhx9ucz8GuaJC8LVZWO8u03yXZZJJ6ObS4yplnaP"

This is a long, random-looking string (phc_ prefix plus high entropy) and is used in a JSON payload sent to an external analytics endpoint. Per the secret definition, this appears to be an actual API key and should be treated as a secret.

No other high-entropy secrets (PEM blocks, other API keys) were found. Most other values are placeholders, environment variable names, or simple examples (e.g., DEEPL_API_KEY, upstream URL) and were ignored as documentation placeholders or non-sensitive setup values.


MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs the agent to make many invasive, state-changing operations on the host (git resets, worktree add/remove, commit/tag creation, symlinking data dirs, running installs/builds, and stopping/starting services via systemctl/launchctl), which directly modify the machine's state and can be destructive — so it should be flagged.

Issues (5)

W007
HIGH

Insecure credential handling detected in skill instructions.

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 24, 2026, 02:09 PM
Issues
5
Security Audit — snyk — migrate-nanoclaw