The skill handles credentials insecurely by requiring the agent to include secret values verbatim in its generated output. This exposes credentials in the agent’s context and conversation history, creating a risk of data exfiltration.

Why it was flagged

Insecure credential handling detected (high risk: 1.00). This skill requires referencing actual "prompts" and "tool_calls" from session logs as evidence and embedding them in reports, which could force the LLM to reproduce any API keys, tokens, cookies, or passwords present in those logs verbatim (no redaction guidance is provided).

Report incorrect finding

Audited: 5 days ago
Security analysis