feature-video

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The workflow instructs the agent to read and then embed arbitrary user textarea content (SAVED_TEXTAREA) directly into eval/CLI commands and the PR body (e.g., ta.value = [SAVED_TEXTAREA_AS_JS_STRING] and gh pr edit --body "..."), which requires the LLM to emit user-provided strings verbatim — risking secret exfiltration if those strings contain credentials.