apisix-adc

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes a literal Admin API token in examples and explicitly tells the agent to ask users for their Admin API Key and embed it into .env/command outputs (export/adc commands), which requires handling and outputting secret values verbatim and creates exfiltration risk.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). Flagged the literal API key value "edd1c9f034335f136f87ad84b625c8f1". It is a high-entropy, literal token used repeatedly as ADC_TOKEN and in an X-API-KEY curl header, which appears to be an actual (default) APISIX Admin API key and thus a usable credential.

Ignored items:

• "my-secret-key", "secret-api-key", and similar consumer examples — these are obvious example/placeholder values and low-entropy.
• ADC_SERVER=http://localhost:9180 and other host/port environment variables — not secrets.