bmad-customize

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). This skill instructs the agent to read, show full TOML files, diffs, and merged resolver output (and to write overrides), so any API keys, tokens, or passwords present in those files would be output verbatim and thus risk exfiltration even though it doesn't explicitly ask for credentials.