article-batch-illustration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains a literal API key (AIzaSy...) and explicit examples that pass it as a command-line argument/parameter, which requires the agent to output the secret verbatim and thus poses a high exfiltration risk.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). The document contains a direct, high-entropy API key string: "AIzaSyDvvGGRbH4Os3Er0dYi0kE_AzE3_2b_Az8". This matches the Google API key pattern ("AIzaSy..."), appears literally in the example command and the API configuration table, and is therefore a usable credential rather than a placeholder. It is not a simple/example password or truncated/redacted value, so it should be flagged as a real secret.