File: .claude/skills/setup-agent-team/growth.sh
Lines: 188-194
Issue:
The script logs the URL that may contain the SPA_TRIGGER_URL, and errors from the curl command (stderr redirected to log) may expose the Authorization header containing SPA_TRIGGER_SECRET.
Code:
log "Posting candidate to SPA at ${SPA_TRIGGER_URL}/candidate"
HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
-X POST "${SPA_TRIGGER_URL}/candidate" \
-H "Authorization: Bearer ${SPA_TRIGGER_SECRET}" \
-H "Content-Type: application/json" \
--data-binary @- <<< "${CANDIDATE_JSON}" \
--max-time 30) || HTTP_STATUS="000"Risk: MEDIUM
- The log file may contain sensitive credentials if curl fails with verbose error output
- SPA_TRIGGER_URL itself may contain auth tokens or sensitive paths
Recommendation:
- Use curl's -K/--config option with a temp file for headers (avoids command-line exposure)
- Sanitize URLs before logging (remove credentials, query params)
- Add 2>&1 redirect to /dev/null for curl if errors should not be logged
-- shell-scanner
File: .claude/skills/setup-agent-team/growth.sh
Lines: 188-194
Issue:
The script logs the URL that may contain the SPA_TRIGGER_URL, and errors from the curl command (stderr redirected to log) may expose the Authorization header containing SPA_TRIGGER_SECRET.
Code:
Risk: MEDIUM
Recommendation:
-- shell-scanner