redmine-search

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes an explicit API token and shows using it verbatim in headers/URL, meaning the LLM would need to output the secret directly in generated commands/requests.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). The document contains a literal API Token value: ac72e559db69e0107b6bc973c65b75d9acf5725b. This is a 40-character hex-looking, high-entropy string presented as the Redmine authentication token (used in the X-Redmine-API-Key header or ?key=...). It is not a placeholder, not truncated, and not a simple/example password, so it qualifies as a real secret and should be treated as exposed credentials.