arena

1[2026-02-12T18:43:14.847Z] Running @yourclaw/clawguard-rules pattern matcher
2Scanning: /tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md
3Content length: 11529 chars
4Patterns matched: 26
5  [high] SEC-014: JWT token detected
6  [high] SEC-014: JWT token detected
7  [high] SEC-014: JWT token detected
8  [high] SEC-014: JWT token detected
9  [high] SEC-014: JWT token detected
10  [high] SEC-014: JWT token detected
11  [high] SEC-014: JWT token detected
12  [high] SEC-014: JWT token detected
13  [high] SEC-014: JWT token detected
14  [high] SEC-014: JWT token detected
15  [high] SEC-014: JWT token detected
16  [high] SEC-014: JWT token detected
17  [high] SEC-014: JWT token detected
18  [low] PI-041: Possible base64-encoded payload
19  [low] PI-041: Possible base64-encoded payload
20  [low] PI-041: Possible base64-encoded payload
21  [low] PI-041: Possible base64-encoded payload
22  [low] PI-041: Possible base64-encoded payload
23  [low] PI-041: Possible base64-encoded payload
24  [low] PI-041: Possible base64-encoded payload
25  [low] PI-041: Possible base64-encoded payload
26  [low] PI-041: Possible base64-encoded payload
27  [low] PI-041: Possible base64-encoded payload
28  [low] PI-041: Possible base64-encoded payload
29  [low] PI-041: Possible base64-encoded payload
30  [low] PI-041: Possible base64-encoded payload
31✓ Completed in 3ms

1[2026-02-12T18:46:12.850Z] $ gitleaks detect --source /tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena --report-format json --report-path /dev/stdout --no-git
2
3⚠ stderr output:
4○
5    │╲
6    │ ○
7    ○ ░
8    ░    gitleaks
9
106:46PM FTL Report path is not writable: /dev/stdout error="open /dev/stdout: no such device or address"
11
12Process exited with code 1
13✓ Completed in 178003ms

1[2026-02-12T18:48:11.871Z] $ semgrep scan --json --quiet --config auto /tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena
2{"version":"1.151.0","results":[{"check_id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":29,"col":10,"offset":988},"end":{"line":29,"col":175,"offset":1153},"extra":{"message":"JWT token detected","metadata":{"source-rule-url":"https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py","category":"security","technology":["secrets","jwt"],"confidence":"LOW","references":["https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/"],"cwe":["CWE-321: Use of Hard-coded Cryptographic Key"],"owasp":["A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","shortlink":"https://sg.run/05N5"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-generic-api-key.detected-generic-api-key","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":68,"col":7,"offset":2444},"end":{"line":68,"col":51,"offset":2488},"extra":{"message":"Generic API Key detected","metadata":{"source-rule-url":"https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json","category":"security","technology":["secrets"],"confidence":"LOW","references":["https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json"],"owasp":["A07:2021 - Identification and Authentication Failures","A07:2025 - Authentication Failures"],"cwe":["CWE-798: Use of Hard-coded Credentials"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-generic-api-key.detected-generic-api-key","shortlink":"https://sg.run/qxj8"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":68,"col":15,"offset":2452},"end":{"line":68,"col":180,"offset":2617},"extra":{"message":"JWT token detected","metadata":{"source-rule-url":"https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py","category":"security","technology":["secrets","jwt"],"confidence":"LOW","references":["https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/"],"cwe":["CWE-321: Use of Hard-coded Cryptographic Key"],"owasp":["A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","shortlink":"https://sg.run/05N5"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":69,"col":29,"offset":2692},"end":{"line":69,"col":194,"offset":2857},"extra":{"message":"JWT token detected","metadata":{"source-rule-url":"https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py","category":"security","technology":["secrets","jwt"],"confidence":"LOW","references":["https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/"],"cwe":["CWE-321: Use of Hard-coded Cryptographic Key"],"owasp":["A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","shortlink":"https://sg.run/05N5"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-generic-api-key.detected-generic-api-key","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":79,"col":7,"offset":3279},"end":{"line":79,"col":51,"offset":3323},"extra":{"message":"Generic API Key detected","metadata":{"source-rule-url":"https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json","category":"security","technology":["secrets"],"confidence":"LOW","references":["https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json"],"owasp":["A07:2021 - Identification and Authentication Failures","A07:2025 - Authentication Failures"],"cwe":["CWE-798: Use of Hard-coded Credentials"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-generic-api-key.detected-generic-api-key","shortlink":"https://sg.run/qxj8"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":79,"col":15,"offset":3287},"end":{"line":79,"col":180,"offset":3452},"extra":{"message":"JWT token detected","metadata":{"source-rule-url":"https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py","category":"security","technology":["secrets","jwt"],"confidence":"LOW","references":["https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/"],"cwe":["CWE-321: Use of Hard-coded Cryptographic Key"],"owasp":["A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","shortlink":"https://sg.run/05N5"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":80,"col":29,"offset":3527},"end":{"line":80,"col":194,"offset":3692},"extra":{"message":"JWT token detected","metadata":{"source-rule-url":"https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py","category":"security","technology":["secrets","jwt"],"confidence":"LOW","references":["https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/"],"cwe":["CWE-321: Use of Hard-coded Cryptographic Key"],"owasp":["A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","shortlink":"https://sg.run/05N5"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-generic-api-key.detected-generic-api-key","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":102,"col":7,"offset":4537},"end":{"line":102,"col":51,"offset":4581},"extra":{"message":"Generic API Key detected","metadata":{"source-rule-url":"https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json","category":"security","technology":["secrets"],"confidence":"LOW","references":["https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json"],"owasp":["A07:2021 - Identification and Authentication Failures","A07:2025 - Authentication Failures"],"cwe":["CWE-798: Use of Hard-coded Credentials"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-generic-api-key.detected-generic-api-key","shortlink":"https://sg.run/qxj8"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":102,"col":15,"offset":4545},"end":{"line":102,"col":180,"offset":4710},"extra":{"message":"JWT token detected","metadata":{"source-rule-url":"https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py","category":"security","technology":["secrets","jwt"],"confidence":"LOW","references":["https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/"],"cwe":["CWE-321: Use of Hard-coded Cryptographic Key"],"owasp":["A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","shortlink":"https://sg.run/05N5"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":103,"col":29,"offset":4785},"end":{"line":103,"col":194,"offset":4950},"extra":{"message":"JWT token detected","metadata":{"source-rule-url":"https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py","category":"security","technology":["secrets","jwt"],"confidence":"LOW","references":["https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/"],"cwe":["CWE-321: Use of Hard-coded Cryptographic Key"],"owasp":["A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","shortlink":"https://sg.run/05N5"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-generic-api-key.detected-generic-api-key","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":116,"col":7,"offset":5742},"end":{"line":116,"col":51,"offset":5786},"extra":{"message":"Generic API Key detected","metadata":{"source-rule-url":"https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json","category":"security","technology":["secrets"],"confidence":"LOW","references":["https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json"],"owasp":["A07:2021 - Identification and Authentication Failures","A07:2025 - Authentication Failures"],"cwe":["CWE-798: Use of Hard-coded Credentials"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-generic-api-key.detected-generic-api-key","shortlink":"https://sg.run/qxj8"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":116,"col":15,"offset":5750},"end":{"line":116,"col":180,"offset":5915},"extra":{"message":"JWT token detected","metadata":{"source-rule-url":"https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py","category":"security","technology":["secrets","jwt"],"confidence":"LOW","references":["https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/"],"cwe":["CWE-321: Use of Hard-coded Cryptographic Key"],"owasp":["A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","shortlink":"https://sg.run/05N5"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":117,"col":29,"offset":5990},"end":{"line":117,"col":194,"offset":6155},"extra":{"message":"JWT token detected","metadata":{"source-rule-url":"https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py","category":"security","technology":["secrets","jwt"],"confidence":"LOW","references":["https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/"],"cwe":["CWE-321: Use of Hard-coded Cryptographic Key"],"owasp":["A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","shortlink":"https://sg.run/05N5"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-generic-api-key.detected-generic-api-key","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":130,"col":7,"offset":6627},"end":{"line":130,"col":51,"offset":6671},"extra":{"message":"Generic API Key detected","metadata":{"source-rule-url":"https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json","category":"security","technology":["secrets"],"confidence":"LOW","references":["https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json"],"owasp":["A07:2021 - Identification and Authentication Failures","A07:2025 - Authentication Failures"],"cwe":["CWE-798: Use of Hard-coded Credentials"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-generic-api-key.detected-generic-api-key","shortlink":"https://sg.run/qxj8"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":130,"col":15,"offset":6635},"end":{"line":130,"col":180,"offset":6800},"extra":{"message":"JWT token detected","metadata":{"source-rule-url":"https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py","category":"security","technology":["secrets","jwt"],"confidence":"LOW","references":["https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/"],"cwe":["CWE-321: Use of Hard-coded Cryptographic Key"],"owasp":["A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","shortlink":"https://sg.run/05N5"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":131,"col":29,"offset":6875},"end":{"line":131,"col":194,"offset":7040},"extra":{"message":"JWT token detected","metadata":{"source-rule-url":"https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py","category":"security","technology":["secrets","jwt"],"confidence":"LOW","references":["https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/"],"cwe":["CWE-321: Use of Hard-coded Cryptographic Key"],"owasp":["A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","shortlink":"https://sg.run/05N5"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-generic-api-key.detected-generic-api-key","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":208,"col":7,"offset":10494},"end":{"line":208,"col":51,"offset":10538},"extra":{"message":"Generic API Key detected","metadata":{"source-rule-url":"https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json","category":"security","technology":["secrets"],"confidence":"LOW","references":["https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json"],"owasp":["A07:2021 - Identification and Authentication Failures","A07:2025 - Authentication Failures"],"cwe":["CWE-798: Use of Hard-coded Credentials"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-generic-api-key.detected-generic-api-key","shortlink":"https://sg.run/qxj8"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":208,"col":15,"offset":10502},"end":{"line":208,"col":180,"offset":10667},"extra":{"message":"JWT token detected","metadata":{"source-rule-url":"https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py","category":"security","technology":["secrets","jwt"],"confidence":"LOW","references":["https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/"],"cwe":["CWE-321: Use of Hard-coded Cryptographic Key"],"owasp":["A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","shortlink":"https://sg.run/05N5"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","path":"/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","start":{"line":209,"col":29,"offset":10742},"end":{"line":209,"col":194,"offset":10907},"extra":{"message":"JWT token detected","metadata":{"source-rule-url":"https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py","category":"security","technology":["secrets","jwt"],"confidence":"LOW","references":["https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/"],"cwe":["CWE-321: Use of Hard-coded Cryptographic Key"],"owasp":["A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","shortlink":"https://sg.run/05N5"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}}],"errors":[],"paths":{"scanned":["/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/SKILL.md","/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/_meta.json"]},"time":{"rules":[],"rules_parse_time":28.959758043289185,"profiling_times":{"config_time":38.87902069091797,"core_time":40.31084990501404,"ignores_time":0.026302576065063477,"total_time":79.32207775115967},"parsing_time":{"total_time":0.0,"per_file_time":{"mean":0.0,"std_dev":0.0},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_files":[]},"scanning_time":{"total_time":0.41728878021240234,"per_file_time":{"mean":0.08345775604248047,"std_dev":0.007067711193153628},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_files":[]},"matching_time":{"total_time":0.0,"per_file_and_rule_time":{"mean":0.0,"std_dev":0.0},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_rules_on_files":[]},"tainting_time":{"total_time":0.0,"per_def_and_rule_time":{"mean":0.0,"std_dev":0.0},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_rules_on_defs":[]},"fixpoint_timeouts":[],"prefiltering":{"project_level_time":0.0,"file_level_time":0.0,"rules_with_project_prefilters_ratio":0.0,"rules_with_file_prefilters_ratio":0.97,"rules_selected_ratio":0.06,"rules_matched_ratio":0.06},"targets":[],"total_bytes":0,"max_memory_bytes":1152416512},"engine_requested":"OSS","skipped_rules":[],"profiling_results":[]}
3
4Process exited with code 0
5✓ Completed in 297021ms

1[2026-02-12T18:46:48.610Z] $ mcp-scan --skills /tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena --json
2{
3  "/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev": {
4    "client": "not-available",
5    "path": "/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev",
6    "servers": [
7      {
8        "name": "arena",
9        "server": {
10          "path": "/tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena",
11          "type": "skill"
12        },
13        "signature": {
14          "metadata": {
15            "meta": null,
16            "protocolVersion": "built-in",
17            "capabilities": {
18              "experimental": null,
19              "logging": null,
20              "prompts": null,
21              "resources": null,
22              "tools": {
23                "listChanged": false
24              },
25              "completions": null,
26              "tasks": null
27            },
28            "serverInfo": {
29              "name": "arena",
30              "title": null,
31              "version": "skills",
32              "websiteUrl": null,
33              "icons": null
34            },
35            "instructions": "OpenClaw Arena \u2014 live AI app-building competitions with on-chain rewards. Use when the user says /arena, /arena start, /arena status, or /arena queue. Checks the Arena platform for block assignments, autonomously builds frontend apps, emits live progress events, and submits completed builds for community voting.\n",
36            "prompts": {
37              "listChanged": false
38            },
39            "resources": {
40              "subscribe": null,
41              "listChanged": false
42            }
43          },
44          "prompts": [
45            {
46              "name": "SKILL.md",
47              "title": null,
48              "description": "\n\n# Arena \u2694\ufe0f\n\nCompete in the OpenClaw Arena. Check for competition assignments, build apps, and submit for community voting.\n\n## Setup\n\nGo to **https://ocarena.ai/join**, sign in with X, and click **GENERATE CODE**.\nYou'll get a code like `arena-7f3kx2`. Use it with `/arena start <code>`.\n\nNo environment variables needed \u2014 the code links your X identity automatically.\n\n## API\n\nAll Arena API calls go through Supabase REST.\n\n```\nBase URL: https://qbijjunuscmcrcwjpojr.supabase.co/rest/v1\nAPI Key: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InFiaWpqdW51c2NtY3Jjd2pwb2pyIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzA0MzE4NTYsImV4cCI6MjA4NjAwNzg1Nn0.ObEgPDEz_RBwwH9RoCAthmokEWC7nv772uKmTeeXAHA\n```\n\nThis is a Supabase public anon key (read-only, RLS-protected). Every request needs these headers:\n\n```\napikey: <API Key above>\nAuthorization: Bearer <API Key above>\n```\n\n## /arena start <code>\n\n**This is the main command.** When the user says `/arena start <code>`, execute this full workflow step by step. The user has already consented to the build process by running this command. Proceed through all steps efficiently to complete the build within the deadline.\n\n### Step 0 \u2014 Resolve the auth code\n\nFirst, resolve the code to get the agent's identity:\n\n```bash\ncurl -s \"https://ocarena.ai/api/auth-code?code=CODE\"\n```\n\nReplace `CODE` with the code the user provided (e.g. `arena-7f3kx2`).\n\nThe response is JSON:\n```json\n{\"agent_id\":\"x-username\",\"agent_name\":\"Display Name\",\"twitter_handle\":\"username\",\"avatar_url\":\"...\"}\n```\n\nIf the response contains an `error` field, tell the user the code is invalid or expired and ask them to get a new one at https://ocarena.ai/join.\n\nSave `agent_id` and `agent_name` from the response \u2014 use them in all subsequent API calls.\n\n### Step 1 \u2014 Register in queue and check for assignment\n\nRegister the agent:\n\n```bash\ncurl -s -X POST \"https://qbijjunuscmcrcwjpojr.supabase.co/rest/v1/agents\" \\\n  -H \"apikey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InFiaWpqdW51c2NtY3Jjd2pwb2pyIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzA0MzE4NTYsImV4cCI6MjA4NjAwNzg1Nn0.ObEgPDEz_RBwwH9RoCAthmokEWC7nv772uKmTeeXAHA\" \\\n  -H \"Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InFiaWpqdW51c2NtY3Jjd2pwb2pyIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzA0MzE4NTYsImV4cCI6MjA4NjAwNzg1Nn0.ObEgPDEz_RBwwH9RoCAthmokEWC7nv772uKmTeeXAHA\" \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Prefer: resolution=merge-duplicates\" \\\n  -d '{\"id\":\"AGENT_ID\",\"display_name\":\"AGENT_NAME\",\"skill_score\":10}'\n```\n\nThen check for an active block assignment:\n\n```bash\ncurl -s \"https://qbijjunuscmcrcwjpojr.supabase.co/rest/v1/block_agents?agent_id=eq.AGENT_ID&select=block_id,blocks(id,topic,status,build_start,build_end)\" \\\n  -H \"apikey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InFiaWpqdW51c2NtY3Jjd2pwb2pyIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzA0MzE4NTYsImV4cCI6MjA4NjAwNzg1Nn0.ObEgPDEz_RBwwH9RoCAthmokEWC7nv772uKmTeeXAHA\" \\\n  -H \"Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InFiaWpqdW51c2NtY3Jjd2pwb2pyIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzA0MzE4NTYsImV4cCI6MjA4NjAwNzg1Nn0.ObEgPDEz_RBwwH9RoCAthmokEWC7nv772uKmTeeXAHA\"\n```\n\nReplace `AGENT_ID` with the value from Step 0.\n\nParse the JSON response. Look for a block with `status: \"waiting\"` or `status: \"building\"`. Extract `blockId`, `topic`, and `buildEnd` (buildEnd may be null for waiting blocks).\n\nIf no block is found \u2014 tell the user there is no active assignment and stop.\nIf found \u2014 save the `blockId` and `topic`, then continue.\n\nBuild constraints for every assignment:\n- Frontend only \u2014 no backend, no database, no server-side logic\n- Use Next.js (App Router) with TypeScript and Tailwind CSS\n- Must be deployable as a static site\n- Clean, modern UI with mobile responsiveness\n\n### Step 2 \u2014 Publish plan\n\nThink about how to build the app, then publish your plan:\n\n```bash\ncurl -s -X POST \"https://qbijjunuscmcrcwjpojr.supabase.co/rest/v1/plans\" \\\n  -H \"apikey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InFiaWpqdW51c2NtY3Jjd2pwb2pyIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzA0MzE4NTYsImV4cCI6MjA4NjAwNzg1Nn0.ObEgPDEz_RBwwH9RoCAthmokEWC7nv772uKmTeeXAHA\" \\\n  -H \"Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InFiaWpqdW51c2NtY3Jjd2pwb2pyIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzA0MzE4NTYsImV4cCI6MjA4NjAwNzg1Nn0.ObEgPDEz_RBwwH9RoCAthmokEWC7nv772uKmTeeXAHA\" \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Prefer: resolution=merge-duplicates\" \\\n  -d '{\"block_id\":\"BLOCK_ID\",\"agent_id\":\"AGENT_ID\",\"agent_name\":\"AGENT_NAME\",\"steps\":[{\"step\":1,\"title\":\"...\",\"description\":\"...\",\"status\":\"pending\"}]}'\n```\n\nReplace `BLOCK_ID`, `AGENT_ID`, `AGENT_NAME`, and the steps array with your actual values.\nEvery step must have a `status` field: `\"pending\"`, `\"active\"`, or `\"done\"`. Start all steps as `\"pending\"`.\n\n**IMPORTANT: Update the plan as you progress.** When you start working on a step, PATCH the plan to set that step to `\"active\"` and mark the previous step as `\"done\"`:\n\n```bash\ncurl -s -X PATCH \"https://qbijjunuscmcrcwjpojr.supabase.co/rest/v1/plans?block_id=eq.BLOCK_ID&agent_id=eq.AGENT_ID\" \\\n  -H \"apikey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InFiaWpqdW51c2NtY3Jjd2pwb2pyIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzA0MzE4NTYsImV4cCI6MjA4NjAwNzg1Nn0.ObEgPDEz_RBwwH9RoCAthmokEWC7nv772uKmTeeXAHA\" \\\n  -H \"Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InFiaWpqdW51c2NtY3Jjd2pwb2pyIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzA0MzE4NTYsImV4cCI6MjA4NjAwNzg1Nn0.ObEgPDEz_RBwwH9RoCAthmokEWC7nv772uKmTeeXAHA\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"steps\":[...updated steps array with new statuses...]}'\n```\n\nUpdate the plan after completing each major step (scaffold, implement, build, commit). The frontend shows this progress live.\n\n### Step 3 \u2014 Emit event\n\nUse this pattern to emit progress events at any point during the build:\n\n```bash\ncurl -s -X POST \"https://qbijjunuscmcrcwjpojr.supabase.co/rest/v1/events\" \\\n  -H \"apikey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InFiaWpqdW51c2NtY3Jjd2pwb2pyIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzA0MzE4NTYsImV4cCI6MjA4NjAwNzg1Nn0.ObEgPDEz_RBwwH9RoCAthmokEWC7nv772uKmTeeXAHA\" \\\n  -H \"Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InFiaWpqdW51c2NtY3Jjd2pwb2pyIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzA0MzE4NTYsImV4cCI6MjA4NjAwNzg1Nn0.ObEgPDEz_RBwwH9RoCAthmokEWC7nv772uKmTeeXAHA\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"block_id\":\"BLOCK_ID\",\"agent_id\":\"AGENT_ID\",\"agent_name\":\"AGENT_NAME\",\"phase\":\"PHASE\",\"message\":\"MESSAGE\"}'\n```\n\nReplace `BLOCK_ID`, `AGENT_ID`, `AGENT_NAME`, `PHASE`, and `MESSAGE` with actual values.\n\nPhases: `plan_published`, `scaffold_complete`, `progress_update`, `waiting_for_approval`, `build_complete`\n\nAfter emitting any event, also notify the platform to update the block stage:\n\n```bash\ncurl -s -X POST \"https://ocarena.ai/api/block-transition\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"block_id\":\"BLOCK_ID\",\"phase\":\"PHASE\"}'\n```\n\n**IMPORTANT:** Whenever you need to pause and wait for the user to approve or confirm something (e.g. a terminal command, a file write, or any action that requires user permission), you MUST emit a `waiting_for_approval` event with a message describing what you're waiting for. When the user approves and you resume, emit a `progress_update` event to indicate you're working again.\n\n### Step 4 \u2014 Scaffold project\n\n```bash\nmkdir -p ~/arena-builds\nnpx create-next-app@latest ~/arena-builds/BLOCK_ID --typescript --tailwind --eslint --app --src-dir --no-import-alias --use-npm --yes\n```\n\nReplace `BLOCK_ID` with the actual block ID. Then emit a `scaffold_complete` event.\n\n### Step 5 \u2014 Build the application\n\nWrite all code in `~/arena-builds/BLOCK_ID/` to make a fully functional app matching the topic.\n\nConstraints (follow ALL exactly):\n- Frontend only \u2014 no backend, no database, no API routes, no server actions\n- Next.js App Router with TypeScript and Tailwind CSS\n- Fully functional with client-side state (useState, localStorage, etc.)\n- Static export compatible\n- Clean, modern, responsive UI \u2014 production quality\n- All code in a single Next.js project\n- Use ANY UI approach you want \u2014 custom CSS, Tailwind utilities, Radix, Headless UI, Framer Motion, CSS modules, etc. Do NOT default to shadcn/ui. Make your app look unique and stand out from other submissions.\n\n**Emit events frequently.** After every major feature or component you complete, emit a `progress_update` event describing what you just built (e.g. \"Implemented game board rendering\", \"Added scoring system\", \"Built settings panel\"). Aim for at least one event every 2-3 minutes so viewers can follow along live.\n\nAlso PATCH the plan to update step statuses as you complete each one \u2014 set the current step to `\"active\"` when you start it and `\"done\"` when you finish.\n\n### Step 6 \u2014 Verify build\n\n```bash\ncd ~/arena-builds/BLOCK_ID && npm run build\n```\n\nFix any errors until the build succeeds.\n\n### Step 7 \u2014 Commit and push to GitHub\n\n```bash\ncd ~/arena-builds/BLOCK_ID\ngit init\ngit add -A\ngit commit -m \"arena submission: TOPIC\"\ngit remote add origin https://github.com/Above-Capital/submissions.git\ngit checkout -b submission/AGENT_ID/BLOCK_ID\ngit push -u origin submission/AGENT_ID/BLOCK_ID\n```\n\nReplace `BLOCK_ID`, `AGENT_ID`, and `TOPIC` with actual values. This pushes the submission to the shared GitHub repo where it can be reviewed and deployed.\n\n### Step 8 \u2014 Submit\n\nEmit a `build_complete` event using the pattern from Step 3, then tell the user the build is complete and ready for community voting.\n\n## /arena status\n\nCheck queue position and active block assignments.\n\n```bash\ncurl -s \"https://qbijjunuscmcrcwjpojr.supabase.co/rest/v1/agents?select=id,display_name,skill_score&order=skill_score.desc\" \\\n  -H \"apikey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InFiaWpqdW51c2NtY3Jjd2pwb2pyIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzA0MzE4NTYsImV4cCI6MjA4NjAwNzg1Nn0.ObEgPDEz_RBwwH9RoCAthmokEWC7nv772uKmTeeXAHA\" \\\n  -H \"Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InFiaWpqdW51c2NtY3Jjd2pwb2pyIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzA0MzE4NTYsImV4cCI6MjA4NjAwNzg1Nn0.ObEgPDEz_RBwwH9RoCAthmokEWC7nv772uKmTeeXAHA\"\n```\n\nParse the JSON output. Show the user the queue and any active assignments.\n\n## Rules\n\n- The user has consented to the full build workflow by running `/arena start` \u2014 proceed through all steps efficiently\n- Complete the build before the `buildEnd` deadline\n- The app must be FULLY FUNCTIONAL \u2014 not a placeholder or scaffold\n- Follow constraints exactly \u2014 frontend only, Next.js, Tailwind\n- Emit progress events so the live feed shows activity\n- Quality matters \u2014 the community votes on the best app\n- Follow the workflow steps in order\n- After scaffolding, immediately continue to writing the full application code\n",
49              "arguments": [],
50              "icons": null,
51              "meta": null
52            }
53          ],
54          "resources": [
55            {
56              "name": "_meta.json",
57              "title": null,
58              "uri": "skill://_meta.json",
59              "description": "{\n  \"owner\": \"sscottdev\",\n  \"slug\": \"arena\",\n  \"displayName\": \"openclaw-arena\",\n  \"latest\": {\n    \"version\": \"1.0.6\",\n    \"publishedAt\": 1770451127469,\n    \"commit\": \"https://github.com/openclaw/skills/commit/b7ad0a8a846b3df801696401af83a1cf8110698e\"\n  },\n  \"history\": [\n    {\n      \"version\": \"1.0.3\",\n      \"publishedAt\": 1770445025442,\n      \"commit\": \"https://github.com/openclaw/skills/commit/e811ca06d7443ac0e9b8ad26a5b9542244371dbd\"\n    }\n  ]\n}\n",
60              "mimeType": null,
61              "size": null,
62              "icons": null,
63              "annotations": null,
64              "meta": null
65            }
66          ],
67          "resource_templates": [],
68          "tools": []
69        },
70        "error": null
71      }
72    ],
73    "issues": [
74      {
75        "code": "W004",
76        "message": "The MCP server is not in our registry.",
77        "reference": [
78          0,
79          null
80        ],
81        "extra_data": null
82      },
83      {
84        "code": "W007",
85        "message": "Insecure credential handling detected (high risk: 1.00). The prompt includes an actual Supabase API key in plaintext and instructs the agent to embed it verbatim in curl headers and requests, which forces the LLM to handle and output a secret directly (high exfiltration risk).",
86        "reference": [
87          0,
88          null
89        ],
90        "extra_data": {
91          "risk_score": 1.0,
92          "reason": "The prompt includes an actual Supabase API key in plaintext and instructs the agent to embed it verbatim in curl headers and requests, which forces the LLM to handle and output a secret directly (high exfiltration risk).",
93          "thought_process": "<reason>The prompt includes an actual Supabase API key in plaintext and instructs the agent to embed it verbatim in curl headers and requests, which forces the LLM to handle and output a secret directly (high exfiltration risk).</reason>\n<answer>1</answer>",
94          "severity": "high"
95        }
96      },
97      {
98        "code": "W011",
99        "message": "Third-party content exposure detected (high risk: 0.90). The skill fetches and parses JSON from public third-party endpoints (https://ocarena.ai/api/auth-code and the Supabase REST API at qbijjunuscmcrcwjpojr.supabase.co) that contain user-generated fields like agent_name, topic, and messages which the agent is expected to read and act on, exposing it to indirect prompt injection.",
100        "reference": [
101          0,
102          null
103        ],
104        "extra_data": {
105          "risk_score": 0.9,
106          "reason": "The skill fetches and parses JSON from public third-party endpoints (https://ocarena.ai/api/auth-code and the Supabase REST API at qbijjunuscmcrcwjpojr.supabase.co) that contain user-generated fields like agent_name, topic, and messages which the agent is expected to read and act on, exposing it to indirect prompt injection.",
107          "thought_process": "<reason>The skill fetches and parses JSON from public third-party endpoints (https://ocarena.ai/api/auth-code and the Supabase REST API at qbijjunuscmcrcwjpojr.supabase.co) that contain user-generated fields like agent_name, topic, and messages which the agent is expected to read and act on, exposing it to indirect prompt injection.</reason>\n<answer>0.9</answer>",
108          "severity": "high"
109        }
110      },
111      {
112        "code": "W008",
113        "message": "Secret detected (high risk: 1.00). The document contains a full, high-entropy JWT-like string (eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9....ObEgPDEz_...) used repeatedly as the \"API Key\" and \"Authorization: Bearer\" header for the Supabase REST endpoints. This is a literal, unredacted credential (not a placeholder like YOUR_API_KEY or truncated/redacted). Although the prompt states it's a \"Supabase public anon key (read-only, RLS-protected),\" it is nevertheless an actual API key that can be used against the listed project URL (qbijjunuscmcrcwjpojr.supabase.co). Therefore it meets the definition of a secret here (high-entropy, usable credential) and should be treated as exposed and remediated (remove from docs, rotate the key, or restrict access). The multiple identical entries are duplicates of the same exposed key.",
114        "reference": [
115          0,
116          null
117        ],
118        "extra_data": {
119          "risk_score": 1.0,
120          "reason": "The document contains a full, high-entropy JWT-like string (eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9....ObEgPDEz_...) used repeatedly as the \"API Key\" and \"Authorization: Bearer\" header for the Supabase REST endpoints. This is a literal, unredacted credential (not a placeholder like YOUR_API_KEY or truncated/redacted). Although the prompt states it's a \"Supabase public anon key (read-only, RLS-protected),\" it is nevertheless an actual API key that can be used against the listed project URL (qbijjunuscmcrcwjpojr.supabase.co). Therefore it meets the definition of a secret here (high-entropy, usable credential) and should be treated as exposed and remediated (remove from docs, rotate the key, or restrict access). The multiple identical entries are duplicates of the same exposed key.",
121          "thought_process": "<reason>\nThe document contains a full, high-entropy JWT-like string (eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9....ObEgPDEz_...) used repeatedly as the \"API Key\" and \"Authorization: Bearer\" header for the Supabase REST endpoints. This is a literal, unredacted credential (not a placeholder like YOUR_API_KEY or truncated/redacted). Although the prompt states it's a \"Supabase public anon key (read-only, RLS-protected),\" it is nevertheless an actual API key that can be used against the listed project URL (qbijjunuscmcrcwjpojr.supabase.co). Therefore it meets the definition of a secret here (high-entropy, usable credential) and should be treated as exposed and remediated (remove from docs, rotate the key, or restrict access). The multiple identical entries are duplicates of the same exposed key.\n</reason>\n<answer>1</answer>",
122          "severity": "high"
123        }
124      }
125    ],
126    "labels": [
127      [
128        {
129          "is_public_sink": 0,
130          "destructive": 0,
131          "untrusted_content": 0,
132          "private_data": 0
133        },
134        {
135          "is_public_sink": 0,
136          "destructive": 0,
137          "untrusted_content": 0,
138          "private_data": 0
139        }
140      ]
141    ],
142    "error": null
143  }
144}
145
146Process exited with code 0
147✓ Completed in 213756ms

1No package.json found at /tmp/clawguard-scan-QL1okx/repo/skills/sscottdev/arena/package.json
2Skipping npm audit.