chanjing-avatar

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the prompt for high-entropy, literal credential values.

Flagged:

• The sample access_token value in the Obtain AccessToken response: "1208CuZcV1Vlzj8MxqbO0kd1Wcl4yxwoHl6pYIzvAGoP3DpwmCCa73zmgR5NCrNu" This is a long, random-looking token that fits the definition of a secret (high entropy, could be used to authenticate to the API). Even though it appears in an example response, it is not a placeholder and therefore should be treated as a potential active credential.

Ignored (not flagged) and why:

• trace_id values like "8ff3fcd57b33566048ef28568c6cee96" — identifiers for tracing/logging, not credentials.
• file_id/video_id values like "e284db4d95de4220afe78132158156b5" and "9499ed79995c4bdb95f0d66ca84419fd" — resource identifiers used in API examples, not secret credentials.
• audio_man_id "C-f2429d07554749839849497589199916" — an asset/voice identifier, not an authentication secret.
• References to credentials stored in ~/.chanjing/credentials.json or manifest.yaml — these are pointers to where credentials belong, not exposed values.
• Other example strings and table entries are either documentation placeholders or low-sensitivity identifiers.

Recommendation: Treat the sample access_token as sensitive — if this is a real/active token, rotate/revoke it and replace examples with a clearly marked placeholder (e.g., "<ACCESS_TOKEN_HERE>").