find-credential-usage

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill asks the agent to prompt for the exact credential and then inject that string into search commands and a compiled report of matches, which requires handling and outputting the secret verbatim (high exfiltration risk).

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). The table/example includes the string "sk-svcacct-2HXNWxbX0cap", which is a non-truncated, high-entropy, API-key–looking literal present in the doc. It is not an obvious placeholder (e.g., "sk-xxxx" or "YOUR_API_KEY") nor a truncated/redacted value, so per the protocol it appears to be a real usable credential and is flagged.

Ignored items: the illustrative "sk-live-24jds..." is truncated/redacted (ignored), and template placeholders like "{{SEARCH_TERM}}" or generic names (e.g., YOUR_API_KEY) are also ignored.