dexter
github.com/clawhub.ai/dexter
Scanned Thu, 28 May 2026 16:55:54 GMT
Scan ID crawl-fw4p7npju3xuxzr8zme9ph0s · 1ms
D
SCORE 30 / 100
Verdict: Do not install
1 critical finding.
This skill exfiltrates environment secrets (${ANTHROPIC_API_KEY) plus 1 other issue listed below.
1 critical0 high1 medium10 rules passed
Why grade D?
score · 30 / 100The current grade reflects 1 critical finding (any single CRIT → D).
1 CRIT0 HIGH1 MED0 LOW
To reach a higher grade
- CReach Ctarget score 55
Resolve all 1 CRIT findings.
- BReach Btarget score 75
Resolve all 1 CRIT.
- AReach Atarget score 95
Resolve all 1 CRIT.
Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.
Findings · ordered by severity
critSkill references secret env var ${ANTHROPIC_API_KEYThe skill instructions reference `${ANTHROPIC_API_KEY`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.▾
Skill references secret env var ${ANTHROPIC_API_KEY
The skill instructions reference `${ANTHROPIC_API_KEY`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
173# Create .env (set these variables before running)
174cat > .env << EOF
175ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-your-key-here}← references ${ANTHROPIC_API_KEY — potential credential leak
176FINANCIAL_DATASETS_API_KEY=${FINANCIAL_DATASETS_API_KEY:-your-key-here}
177TAVILY_API_KEY=${TAVILY_API_KEY:-your-key-here}
medNo capability manifest declaredThe skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.rule: no-manifest▾
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule:
no-manifestskillox.io/r/crawl-fw4p7npju3xuxzr8zme9ph0s