dreamina-auth

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt tells the agent to extract a user's sessionid cookie and embed it verbatim in request headers (and even includes a concrete sessionid example), which requires handling/outputting a secret value and creates an exfiltration risk.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). The documentation includes a hardcoded, high-entropy session token: sessionid=7ee405dc81fbb63630aab56fcf91812b. This looks like a real cookie/session identifier (32 hex chars) and therefore qualifies as a secret under the definition (literal credential that can provide access). Other values (Appid "513695", Appvr, Pf, static sign seed "9e2c", endpoints, and environment names) are non-sensitive configuration or low-entropy identifiers and are ignored per the rules.