Databases

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds hardcoded connection strings with plaintext usernames and passwords (e.g., PWD=1NT3rn@t10n@l; Pwd=CrmP0ller) and shows them in example code/commands, which would require the LLM to reproduce secret values verbatim—creating an exfiltration risk.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, usable credentials (high-entropy or specific passwords embedded in connection strings). I flagged values only where a password is directly present and looks like a specific credential (not a placeholder or trivial setup password).

Flagged findings:

• PWD=1NT3rn@t10n@l (appears in the X3 MS SQL Server and Sage1000 connection strings: "DSN=OCS1;UID=sa;PWD=1NT3rn@t10n@l;") — this is a literal password in a connection string (sa account). It's not a placeholder and is likely usable.
• Pwd=CrmP0ller (appears in the MySQL native connection string: "Server=rocs-production-es.ramsden-international.com;Port=6033;Database=keycloak;Uid=crm;Pwd=CrmP0ller;") — a literal password present in a production-looking connection string.

Ignored items and why:

• Hostnames, DSNs, usernames (e.g., Host=rivsprod01, Username=jordan, DSN=DuckDB) — these are configuration values, not secrets.
• JSON config example where "password": null — no secret present.
• Paths, repo URLs, and tool locations (Y:..., gogs@...) — not secrets.
• Other example values that are clearly placeholders or documentation (no literal API keys, PEM blocks, or redacted/truncated secrets found).

Recommendation: treat the two embedded passwords above as exposed credentials — rotate them and remove hardcoded credentials from documentation/configs (use environment variables or secret stores).