telnyx-video-go

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes an explicit literal refresh token (a JWT string) in the example code, which is an actual secret-like value that the LLM could be forced to reproduce verbatim, creating an exfiltration risk despite other parts using environment variables.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). The documentation contains a full JWT-like token assigned to RefreshToken in the RefreshClientToken example: "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9....gNEwzTow5MLLPLQENytca7pUN79PmPj6FyqZWW06ZeEmesxYpwKh0xRtA0TzLh6CDYIRHrI8seofOO0YFGDhpQ"

This is a high-entropy, non-truncated credential (header.payload.signature) rather than a placeholder or simple example password. It appears directly usable as a token, so it meets the definition of a secret. (Note: other items like TELNYX_API_KEY are just environment variable names and are ignored.)