logo-batch-generator

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds a hard-coded API key and shows it passed verbatim in command-line arguments and configuration, which requires the agent/LLM to handle and output a secret value directly.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). The document contains a high-entropy, literal Google API key (matches the common "AIzaSy..." pattern) used in both the CLI example (--api-key "...") and the API configuration table. This is not a placeholder, truncated, or simple example string — it appears to be a real, usable credential. Flagging is required. Recommend removing from docs, revoking/rotating the key, and moving credentials to environment variables or a secrets manager.