storyboard-generator

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains a literal API key and directs embedding it verbatim into command-line calls and generated scripts (e.g., --api-key "AIzaSy..."), forcing the agent to output and propagate a secret directly, which is high-risk.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). The document contains a high-entropy, literal Google API key (prefix "AIzaSy...") embedded twice: once inside the example CLI call (--api-key "...") and once in the "API Key" field of the API configuration table. This matches real Google API key formatting and is not a placeholder, truncated value, or simple/setup password. Therefore it is a direct, usable credential and should be treated as leaked (revoke/regenerate, remove from docs, and switch to environment/secret store).