chanjing-tts-voice-clone

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds a hard-coded "secret_key" (and app_id) and instructs making the access_token request using that value, which requires the LLM to include secret values verbatim in generated API calls—an insecure credential-handling pattern.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). Flagged because the Get Access Token request body includes a hard-coded, high-entropy secret_key ("10cd5091fe6042dfb91ba01816a991e0"), which appears to be a real API credential. The response example also contains a high-entropy access_token ("1208CuZcV1Vlzj8MxqbO0kd1Wcl4yxwoHl6pYIzvAGoP3DpwmCCa73zmgR5NCrNu") that looks like a usable token and should be treated as sensitive.

Ignored items: app_id ("84042cb5") is short/low-entropy and typically non-secret; trace_id, voice IDs (e.g., "C-Audio-53e4e53..."), task_ids, and other IDs/URLs are identifiers or example values and not secrets per the rules. No simple example passwords or placeholders were flagged.