cloudflare-service-token-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill instructs copying real-looking client IDs and secrets into a .env and even shows literal example secret strings and grep output, which encourages embedding and exposing secrets verbatim (high exfiltration risk) despite using env-var placeholders for tests.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I flagged the embedded Cloudflare service token values as real secrets because they are literal, high-entropy, and directly present in the prompt.

Matches found and rationale:

• CF_SERVICE_TOKEN_CLIENT_ID = "8f0eb3c52a7236fc952d9b11cd67b960.access" — looks like a real client ID (hex-like, not a placeholder).
• CF_SERVICE_TOKEN_CLIENT_SECRET = "63b34062dbca3405521196952ba4d155de00f59e52d0fa23d0a7f3de66696c6c" — high-entropy hex string, appears to be an actual secret.

Ignored/treated as non-secrets:

• Placeholder examples in Quick Start (e.g., your-client-id.access, your-client-secret, YOUR_API_KEY) — ignored per rules.
• The truncated secret shown earlier with "..." — would be ignored if it were the only form, but a full secret is later present so that full value is what triggered the flag.
• Other simple/example strings and environment variable names and domain names are documentation artifacts and not flagged.

Because the prompt contains explicit, full, high-entropy credential values, this is a true secret disclosure.