security-auditor

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill prompt includes and requires generating reports and code snippets that display hardcoded credentials and example tokens (e.g., 'SuperSecret123!', Authorization headers and .env entries) and does not mandate redaction, meaning the LLM may need to read and output secret values verbatim.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I reviewed the full skill prompt for literal credentials. The only direct, non-placeholder credential present is the database password "SuperSecret123!" shown in the hardcoded dbConfig block (src/config/database.ts) and repeated in the example .env comments. It is a specific password (mixed case, digits, symbol) embedded in code — not a placeholder or truncated value — and therefore meets the definition of a hardcoded secret. Other strings in the prompt are placeholders, truncated examples (e.g., "sk-live-24jds..."), environment variable names, or simple usernames like "admin", which per the rules are ignored as non-secrets.