opencode-companion

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill mandates forwarding companion stdout "verbatim" (and quoting prompt text), so while it doesn't ask for keys or embed secrets in commands, it does require the LLM to reproduce any secrets that appear in runtime output, creating a high exfiltration risk.