deepspeed
Fail
Audited by Snyk on Jun 29, 2026
Risk Level: HIGH
Full Analysis
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the entire skill content for literal high-entropy credentials. The only candidate I found was the Comet experiment key in the Comet config example: "experiment_key": "0c4a1c4a90664f2a8084e600b19a9d7"
Reasoning:
- This value is a 32-character hex string (moderate/high entropy) and is the type of token that can grant access to a Comet experiment; it is not an obvious placeholder like "YOUR_API_KEY" or "my_project".
- Other values in the doc are clearly placeholders, simple words, config names, file paths, or small integers (e.g., "/local_nvme", "DeepSpeedJobName", "my_project", "tensorboard"/"wandb" names, numeric defaults such as 32). Those are low-entropy or clearly example placeholders and thus ignored per the rules.
- The doc also contains explicit guidance not to store Comet API keys in code; however, the literal experiment_key shown appears to be a real-form token in an example and therefore should be treated as a possible secret.
Thus I flag the Comet experiment_key as a potential leaked secret; everything else is ignored as placeholders or non-secrets.
Issues (1)
W008
HIGHSecret detected in skill content (API keys, tokens, passwords).
Audit Metadata