api-client

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes an explicit plaintext password example in the environment variables and instructs debug output that reveals tokens/full curl commands (i.e., printing Authorization headers), so the agent may be required to surface secret values verbatim.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy credentials. The only candidate that meets the "actual, usable credential" and "high-entropy" criteria is the environment variable value:

MIKOPBX_PASSWORD="123456789MikoPBX#1"

This is a specific, non-placeholder password (mix of digits, letters, special char) that could be used to authenticate, so it qualifies as a hardcoded secret in the documentation.

I did NOT flag:

• MIKOPBX_LOGIN="admin" (username only, not a secret)
• MIKOPBX_CONTAINER="mikopbx-php83" (container name)
• Any placeholders or example tokens (e.g., "Authorization: Bearer $TOKEN", truncated/redacted values, or obvious examples), per the ignore rules.