outlook

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I flagged the single high-entropy identifier used directly in a command: "skpi-p7fc1qhsbq4qo59qh99ibjk9". It is not an obvious placeholder (unlike "YOUR_API_KEY" or "sk-xxxx"), appears randomly generated, and is used as the --id argument to a CLI command that runs a skill — which likely grants access to run that skill and therefore behaves like a credential/API key.

Ignored items: "recipient@example.com" (example address), the workflow URL (public link), "we-xxx" (placeholder run id), and the JSON input example — all are documentation/example values or placeholders per the provided rules.