sast-ssrf

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill instructs subagents to extract and paste exact code snippets, destination arguments, and concrete dynamic curl payloads from the codebase (and to include the contents of sast/architecture.md), so if those files contain hardcoded API keys, tokens, cookies, or passwords the agent will be asked to output them verbatim, creating an exfiltration risk.