mjardevi-lunch

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt instructs storing an API key in a plaintext .api_key file and shows examples of passing the key directly on the command line (e.g., "python scripts/get_lunch.py ee57b6b..."), which encourages handling and embedding secret values verbatim in commands/outputs.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the whole skill. Most values are placeholders or setup instructions (e.g., "din_api_nyckel_här" and the instructions to copy .api_key.example) which I ignored as documentation placeholders/low-security setup text.

However, the Quick Start examples include the literal string "ee57b6b96d25120dd4e921a8e7c246f1" used as an API key in two example commands. That value is a high-entropy, random-looking hex string and is not labeled as a placeholder. Because it appears directly in runnable example commands, it could be a real, usable credential and should be treated as a potential secret leak.