implementing-network-access-control-with-cisco-ise

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains literal secrets (e.g., RADIUS shared secret C0mpl3x$3cretKey!, CTS password CtsP@ss, test passwords) inside configuration snippets, so generating or reproducing those configs would require the LLM to handle/output secret values verbatim.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned for literal, directly embedded credentials that look like real, usable secrets (not placeholders or obvious examples).

Flagged:

• "C0mpl3x$3cretKey!" — This string is repeatedly used as a RADIUS Shared Secret / server-key in device and switch configuration snippets (RADIUS Shared Secret, key 0 C0mpl3x$3cretKey!, client … server-key C0mpl3x$3cretKey!). It is a specific, non-placeholder value with mixed-case letters, numbers, and symbols and is used in authentication/RADIUS contexts, so it appears to be a real hardcoded secret.

Ignored (and why):

• "CtsP@ss" — used as cts credentials id … password CtsP@ss. This is short and resembles a low-security setup password/sample; per the guidance to ignore low-security/setup passwords, I treated this as a non-actionable example.
• "testpass" in the test aaa command — obvious test/example password; low-entropy placeholder — ignored.
• Other items (IP addresses, AD group names, usernames like radius-test, SNMP settings described generically, references to providing domain admin credentials) do not contain direct secret values or are documentation placeholders, so they were not flagged.

Conclusion: There is at least one real, embedded high-entropy secret present (C0mpl3x$3cretKey!).