md2docx

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs including the API key in request headers and CLI arguments (e.g., X-API-Key: {api_key}, --api-key your_key) and even supplies a trial key string, which encourages embedding secret values verbatim in outputs/commands.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I found one high-entropy literal that appears to be an embedded API credential: the trial key "f4e8fe6f-e39e-486f-b7e7-e037d2ec216f" (listed under "Trial Key (Fallback)"). This looks like a real UUID-style API key and is directly present in the document, so it meets the definition of a secret.

Other values in the doc are placeholders or low-entropy examples (e.g., "your_api_key_here", {api_key}, "YOUR_API_KEY", export DEEP_SHARE_API_KEY="your_api_key_here") and are intentionally ignored per the rules.