secure-key-manager

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that pass plaintext passwords and API keys as command-line arguments and literal strings in code (e.g., -p "zhuoran2024", -v "BSA..."), which requires the agent to handle and could output secrets verbatim, creating high exfiltration risk.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the full prompt for literal, high-entropy credentials. The value -v "BSAviFtiUFyIz2999vFS13X4jlFlXir" in the example command is a random-looking string, prefixed with "BSA" (matches the doc's Brave Search key pattern) and appears to be an actual API key rather than a placeholder — therefore it is flagged as a real secret. Other values in the document are ignored: "zhuoran2024" and occurrences of "密码"/"你的密码" are low-entropy example/setup passwords (documentation examples), "sk-xxx" and "sk-..." are placeholders, and environment variable names or descriptive strings are not credentials.