handover

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to extract an auth cookie (auth_token) from browser storage and write/read it into .claude-plugin/project-config.json (and use it for sub-skills), which requires the agent to handle secrets and could cause those secret values to be exposed in tool outputs or messages.