terra-data

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds plaintext credentials (dev_id and api_key) in example code, which are actual-looking secrets that an LLM would reproduce verbatim in generated outputs, creating a high exfiltration risk.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the prompt for literal, high-entropy credentials. The Quick Start includes a concrete api_key value ("_W7Pm-kAaIf1GA_Se21NnzCaFZjg3Izc") which is a random-looking, high-entropy string and is presented as an API credential — this matches the definition of a secret and should be flagged. The dev_id ("botaniqalmedtech-testing-SjyfjtG33s") is also a literal credential-like identifier (less purely random but likely an environment credential) and should be treated as sensitive.

Other values in the document (e.g., user_id="terra_user_abc123", sample passwords, placeholder env var names, and obvious examples) are low-entropy or clearly examples/placeholders and were ignored per the rules.