secrets-management

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes examples that embed secrets verbatim in commands and CLI arguments (e.g., vault token='root', vault kv put ... password=secret, aws --secret-string "super-secret-password", echo "DB_PASSWORD=$SECRET"), which instructs or demonstrates putting secret values directly into generated code/commands and thus requires handling/outputting secrets verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill includes runtime references that fetch and execute remote code — e.g., GitHub Actions references like hashicorp/vault-action@v2, actions/checkout@v4, aws-actions/configure-aws-credentials@v4 and the Docker image trufflesecurity/trufflehog:latest are pulled and run during CI/CD jobs, so they are external runtime dependencies that execute remote code.