sast-jwt

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to extract and include code snippets showing signing/verification calls and "Code snippet (if hardcoded or suspicious)" and to produce PoC commands using actual tokens, which would require emitting secrets (hardcoded keys, tokens) verbatim—creating an exfiltration risk.