telnyx-video-curl

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill mostly uses an environment variable for auth (secure), but it also embeds a literal refresh_token/JWT string in an example request (a secret-like value that could be reproduced verbatim), creating a high exfiltration risk.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). The document contains a full JWT string (header.payload.signature) used as the "refresh_token" in the refresh_client_token example. This is a high-entropy, literal token (not a placeholder like "YOUR_API_KEY" or a simple example password) and appears to be a real/usable credential rather than a template. It is directly present in the examples, so it meets the criteria for a secret.