terra-auth

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds hard-coded API keys and dev IDs in code snippets and cURL examples, which requires reproducing secret values verbatim in outputs and is therefore high-risk.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I flagged real, hardcoded API keys because the prompt contains multiple high-entropy, literal api_key values present directly in code, environment examples, and cURL headers. These strings look random (mix of letters, numbers, punctuation) and would grant access if valid:
• _W7Pm-kAaIf1GA_Se21NnzCaFZjg3Izc (testing)
• fJia30spa-EqB_CMqZBzzrkMWZ_u2pv_ (staging)
• Il4YUTc-e00EcvKGUx63j7YE3MJ-7QIz (production)

I did not flag the dev_id values (botaniqalmedtech--) because they appear to be non-secret identifiers (lower entropy, environment identifiers) rather than high-entropy credentials. I also did not flag any placeholders, truncated/redundant examples, or the webhook signing secret note (no actual signing secret value is present).