secrets-management

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill contains multiple examples that embed plaintext secrets and tokens directly in commands and outputs (e.g., vault kv put password=secret, export VAULT_TOKEN='root', aws --secret-string "super-secret-password", echo "API Key: ${{ secrets.API_KEY }}"), which encourages including secret values verbatim in generated code/commands and is therefore insecure.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill includes CI/runtime steps that fetch and execute remote code — for example pulling and running the Docker image "trufflesecurity/trufflehog:latest" and using the GitHub Action "hashicorp/vault-action@v2" (both fetched at runtime and executing code on runners) — which constitute runtime external dependencies that execute remote code.