daily-planner

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds a clear API key ("AIzaSy...") and SMTP/email config in the skill config, which means the agent would have to include that secret verbatim when forming API requests or auth headers (exposing it in outputs) — a direct exfiltration risk.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). The string "AIzaSyCkzNP0apcHNB4mD1mI9QBlYjeeYGwQyb8" is a full, unredacted API key prefixed with the Google API key marker ("AIzaSy"), and looks high-entropy/random — not a placeholder or example. Therefore it qualifies as a real secret. Other items in the document (email addresses, SMTP host, file paths, and obvious example/simple strings) are not secrets or are not present as credential values.