First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
4
Score
92/100
Findings (4)
Detects API keys or tokens exposed in shell export commands
export SUPERMEMORY_API_KEY="sm_oiZHA2HcwT4tqSKmA7cCoK_opSRFViNFNxbYqjkjpVNfjSPqQWCNoOBAcxKZkKBfRVVrEQDVxLWHJPvepxqwEPe"Remove credentials from shell export statements. Use a .env file (excluded from version control) or a secrets manager, and load secrets at runtime.
Likely FP if the export line uses a placeholder value (e.g., export API_KEY=your-key-here) or is in documentation describing environment setup.
Detects execution of shell script files via bash/sh command or direct invocation
bash /root/clawd/skills/supermemory/scripts/add-memory.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.
Detects execution of shell script files via bash/sh command or direct invocation
bash /root/clawd/skills/supermemory/scripts/search.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.
Detects execution of shell script files via bash/sh command or direct invocation
bash /root/clawd/skills/supermemory/scripts/chat.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.