opencode-sdk

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt shows and instructs embedding API keys directly in API calls (e.g., client.auth.set body: { key: "your-api-key" }), which encourages placing secret values verbatim into generated code/requests and thus risks exfiltration.