voice-clone

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds a hard-coded API key literal (WAVESPEED_KEY = "...") and constructs Authorization headers with it, which requires the LLM to handle and could output the secret verbatim.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). The file includes a hardcoded, high-entropy API key assigned as a default value:
• WAVESPEED_KEY = os.getenv("WAVESPEED_KEY", "b9c67f3def268385bb9734970b11531f12ea24ae0d153859242e48ae46227668")

This is a long, random-looking literal used directly in an Authorization: Bearer header, which qualifies as an actual/API secret and should be treated as exposed credentials.

Ignored items: voice IDs (e.g., "wuna-001"), sample texts, file paths (including ".openclaw"), and other simple strings are low-entropy/documentation values and not flagged per the provided rules.