The skill handles credentials insecurely by requiring the agent to include secret values verbatim in its generated output. This exposes credentials in the agent’s context and conversation history, creating a risk of data exfiltration.

Why it was flagged

Insecure credential handling detected (high risk: 1.00). The prompt explicitly requires subagents to return validator JSON verbatim (including outputs from a security validator and analyses of changed files), so any secrets present in code or produced by validators would be handled and emitted verbatim, creating an exfiltration risk.

Report incorrect finding

Audited: 2 months ago
Security analysis