security-audit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's secret-detection and reporting examples explicitly include matched secret values (e.g., "AKIA...", "password = 'SuperSecret123'") and the workflow/outputs require listing matched_text, so the agent would need to read and emit secrets verbatim.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). The documentation includes an explicit Private Key marker: the Secret Detection output shows a match for "-----BEGIN PRIVATE KEY-----" in config/ssl/private.key (and the automatically-detected potential match lists the same header). A PEM private key header indicates a real private key block (high-entropy secret) present in the repo — flag as a real secret.

Other potential matches are ignored:

• "AKIA..." (AWS Access Key) appears truncated/redacted as "AKIA..." in the sample output — treated as truncated/redacted (ignore).
• password = 'SuperSecret123' is a simple/example-style password (low entropy/common pattern) shown in example output — treated as a documentation/example credential (ignore).