api-test-generator

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt hardcodes a plaintext password in the auth_token fixture and instructs generating test files that include that credential and Authorization headers, which forces the LLM to output secret values verbatim.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the skill prompt for literal, high-entropy values that could be used to access services. The only direct credential-like value present is the password string in the auth_token fixture:

json={"login": "admin", "password": "123456789MikoPBX#1"}

This is a concrete password (not a placeholder such as YOUR_API_KEY or sk-xxxx, not an environment variable name, and not a truncated/redacted value). It is embedded in runnable test-fixture code to obtain a Bearer token and therefore could be a real, usable credential. It meets the documentation's inclusion criteria (a specific, non-trivial password) and is not one of the listed false positives (simple setup passwords or obvious examples).

Other items in the prompt (BASE_URL host, environment variable names like SCHEMA_VALIDATION_STRICT, example placeholders and template snippets, example values in DataStructure.php) are documentation/placeholders or non-secret configuration and were ignored per the rules.