Pinclaw

AdvisoryAudited by Static analysis on May 20, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal

Findings (6)

critical

suspicious.dangerous_exec

Location: dist/src/cli-auth.js:100
Finding: Shell command execution detected (child_process).
Evidence: exec(openCmd, (err) => {

critical

suspicious.env_credential_access

Location: dist/src/core/ws-handler.js:56
Finding: Environment variable access combined with network send.
Evidence: const iaKey = process.env.INTERACTIVE_AI_KEY || process.env.AI_API_KEY || "";

critical

suspicious.env_credential_access

Location: dist/src/tools/generate-audio.js:12
Finding: Environment variable access combined with network send.
Evidence: const relayToken = process.env.PINCLAW_RELAY_TOKEN;

critical

suspicious.env_credential_access

Location: dist/src/tools/generate-image.js:12
Finding: Environment variable access combined with network send.
Evidence: const relayToken = process.env.PINCLAW_RELAY_TOKEN;

critical

suspicious.exposed_secret_literal

Location: dist/src/channel.js:149
Finding: File appears to expose a hardcoded API secret or token.
Evidence: authToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/src/cli-auth.js:135
Finding: File appears to expose a hardcoded API secret or token.
Evidence: const accessToken = [REDACTED];