xsai

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt explicitly tells the agent to "Include apiKey for hosted providers" in minimal runnable examples without instructing use of environment variables or placeholders, which encourages embedding or echoing secret values verbatim and thus poses an exfiltration risk.