import-todos

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill instructs the agent to take TODO/FIXME comment text verbatim and pass it to the add-task skill (and include it in output), so any secrets accidentally present in comments would be copied and exposed — an explicit exfiltration risk.