chanjing-tts-voice-clone

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to read app_id/secret_key from ~/.chanjing/credentials.json and embed them in the access_token request (and then use the access_token verbatim in subsequent API headers), which requires the LLM to handle and output secret values directly.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned for high-entropy, literal values that could be used to authenticate or access services.

Flagged: the access_token shown in the "Get Access Token API" response example: "1208CuZcV1Vlzj8MxqbO0kd1Wcl4yxwoHl6pYIzvAGoP3DpwmCCa73zmgR5NCrNu"

• Reason: high-entropy, literal token value, described as "access_token" (valid for one day). This fits the definition of a secret (a credential that grants access).

Ignored items and why:

• Voice IDs and task IDs (e.g., "C-Audio-53e4e53ba1bc40de91ffaa74f20470fc", "88f635dd9b8e4a898abb9d4679e0edc8", and other similar IDs): these look like resource identifiers, not authentication credentials. They are used to reference created resources rather than authenticate requests, so per the provided rules I did not flag them.
• Placeholder usages of access_token in headers ({{access_token}}) and other template variables are documentation placeholders and ignored.
• URLs and sample file names are not secrets.

Recommendation: remove or redact the literal access_token from public docs and replace with a placeholder (e.g., "ACCESS_TOKEN_EXAMPLE") or a clearly labeled fake token, and ensure any real token used in examples is rotated/invalidated.