terra-sdk

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds literal API keys and dev_ids in multiple code examples and instructs initializing clients with those values, which requires the LLM to reproduce secret values verbatim in outputs (high exfiltration risk).

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I searched the prompt for literal, high-entropy credentials. The string api_key="_W7Pm-kAaIf1GA_Se21NnzCaFZjg3Izc" appears verbatim in multiple setup examples (Python and JavaScript). This value is random-looking / high-entropy and is not a placeholder like "YOUR_API_KEY" or "sk-xxxx", so it meets the definition of a secret (an actual API key).

The dev_id "botaniqalmedtech-testing-SjyfjtG33s" is present in many examples but is a readable identifier (lower entropy, includes "testing") and appears to be a non-secret identifier; I am ignoring it per the guidance to focus on high-entropy, access-providing values.