telnyx-video-javascript

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes a literal refresh_token JWT in an example request (a secret-like value embedded verbatim), which encourages the agent to output or reuse sensitive credentials directly rather than keeping them in secure storage or environment variables.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). The example includes a full, high-entropy JWT (three base64url parts with a long signature) used as the refresh_token in the refreshClientToken example. This is a literal credential (refresh token) present in the docs — not a placeholder, truncated value, or simple example password — and could be used to obtain access (i.e., it's a usable secret). I did not flag environment variable names (e.g., TELNYX_API_KEY) because those are just variable names without values. Recommended actions: remove the token from docs, rotate/revoke it immediately, and replace with a placeholder or instruct readers to use environment variables.