deploy

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds plaintext credentials (usernames, passwords, client-secrets) and instructs the agent to type them into pages and "display the Sandbox Credentials", requiring the LLM to output those secret values verbatim, which is insecure.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I flagged the Client-Secret value "yTKslWLtf4giJcWCaoVJ20H8sy6STexM" from the "Sandbox Credentials" section as a real, high-entropy secret: it is a literal, random-looking token suitable for use as a client secret and is directly present in the doc.

Ignored items:

• "testUser / drowssap" (NiFi login and ROPC password): low-entropy, obvious test/setup password — treated as non-sensitive per the rules.
• "admin / admin" (Keycloak): trivial setup credential — ignored.
• "otherClientSecretValue123456789": appears structured and likely a documentation/example value (contains readable words and sequential digits) so I did not treat it as a high-entropy secret.
• Environment names, endpoints, and usernames are not secrets.

Therefore at least one actual high-entropy secret is present (the yTKslW... client secret).