fal-image

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I reviewed the skill prompt for literal, high-entropy credentials. The string "--id skpi-g7ydq91v0sdvpm3t53h961vg" appears twice and is a concrete, non-redacted token-like value (high-entropy alphanumeric with a secret-style prefix). This looks like a usable API/skill ID rather than a placeholder and should be treated as a hardcoded credential.

Other values in the doc are placeholders or non-secrets: "df-xxxxx" is explicitly a file-id format placeholder, workflow/run IDs (e.g., c-we6qb7ch1cfpc47jvkidqidb, RUN_ID) are identifiers rather than access secrets, and examples like REF_FILE_ID or env var names contain no secret values. Those were ignored as documentation placeholders or non-sensitive IDs.