english-learner

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). Yes — the skill mandates embedding user-provided text into command invocations (e.g., node vocab_manager.cjs batch_save '[{"word":"...","definition":"..."}]') and auto-saves corrections, so if a user message contains API keys, tokens, or passwords the LLM would be required to include those secret values verbatim in its generated commands/output.