deep-dive

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly reads and injects codebase/trace-derived text verbatim into prompts and saved spec/trace files (even if wrapped in delimiters) without requiring redaction, so if those artifacts contain API keys, tokens, or passwords the LLM will be asked to include them in its outputs, creating an exfiltration risk.