implementing-network-access-control

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds multiple literal secrets (RADIUS shared secret, LDAP service-account password, supplicant and test passwords, SNMP communities) directly in configuration and command examples, which requires the LLM to output those secret values verbatim — a high exfiltration risk.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I flagged one high-confidence hardcoded secret: "R4d1u5_S3cr3t_K3y!" — it appears as a literal RADIUS shared secret in multiple real configuration locations (clients.conf, Cisco radius key, PacketFence switches.conf). It is a concrete credential that would grant RADIUS access if used in a live environment.

I ignored several other literals as documentation/example or low-entropy passwords per the rules:

• 'ServiceAccountPassword123!' (LDAP password) — low-entropy/example-like string containing the word "Password", treated as a setup/example value.
• 'testing123', 'TestPassword123', 'UserPassword123', and similar passwords shown in radtest, wpa_supplicant, etc. — simple/example credentials used for testing.
• SNMPCommunityRead=public and SNMPCommunityWrite=private — well-known default community strings (low-security setup values), so ignored.
• Any other usernames/IDs, truncated/example tokens, and obvious documentation placeholders were ignored per the provided guidance.

Conclusion: only the repeated RADIUS secret "R4d1u5_S3cr3t_K3y!" is a direct, usable hardcoded credential that should be treated as a secret.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs running sudo commands that install packages and overwrite system configuration files (e.g., /etc/freeradius, /usr/local/pf, /etc/wpa_supplicant), start privileged services, and change network/authentication state, which directly modify the machine and require elevated privileges.