fish-audio

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I flagged the literal value skpi-h7bbbys1kggo41f0b2xz237l found in the example refly CLI command. It is a high-entropy, random-looking token with an "skpi-" prefix and is embedded directly in runnable shell code (refly skill run --id ...), which makes it potentially usable as a credential or service identifier. Other items in the prompt (JSON example fields, environment variable names, and the workflow URL) are documentation/example values or non-secret identifiers and were ignored.