salesforce
Fail
Audited by Snyk on Feb 16, 2026
Risk Level: HIGH
Full Analysis
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the skill prompt for literal, high-entropy values that look like usable credentials. The command includes the value:
- skpi-l8hjpo6mjeb871d1y8ttw0og
This is a non-placeholder, random-looking token with an "sk" prefix similar to API keys and is passed to a CLI as an --id value, which could be a usable credential or access token. Because it meets the "high-entropy, literal value" criteria and is not a documented placeholder, I treat it as a potential secret.
Other strings were ignored:
- The URL path segment c-voxvui1zpu15a7j8zmf6mjwa appears to be a workflow identifier embedded in a public URL (likely not a secret) and is lower risk; I did not flag it.
- RUN_ID described as "we-xxx" is a placeholder/example (not a secret).
- No private key blocks, bearer tokens, or other high-entropy values were present.
If this skpi- token is merely a public skill identifier rather than a credential, it can be considered safe; otherwise it should be rotated and removed from docs.
Audit Metadata