polardbx-zero

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The API returns plaintext database credentials and connection strings at creation time and the skill implicitly requires the agent to present or embed those secrets verbatim (e.g., connectionString or password) for the user to connect, which forces the LLM to handle secret values directly.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). The sample Create Instance response contains a literal, complex password: "Px$9aB3cD7eF1gH" (and its URL-encoded form in connectionString). This is a high-entropy, non-placeholder string that would allow immediate access to the provisioned database instance, so it meets the definition of a secret. The instance id ("pxz_a1b2c3d4e5f6") and username ("pxz_12345678") are identifiers, not secrets, and metadata timestamps are non-sensitive. Although the service notes that instances are short-lived, that does not change that a usable credential is directly present in the docs.