chanjing-tts

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This skill tells the agent to read app_id and secret_key from ~/.chanjing/credentials.json and embed them in the access_token request (and to include the resulting access_token in subsequent requests), which requires the agent to handle and output secret values verbatim, creating an exfiltration risk.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I found a high-entropy, literal access token in the documentation example that looks like a real, usable credential:
• access_token in the "Obtain AccessToken" response example: "1208CuZcV1Vlzj8MxqbO0kd1Wcl4yxwoHl6pYIzvAGoP3DpwmCCa73zmgR5NCrNu"

This string is long, random-looking, and would likely grant API access if valid, so it meets the definition of a secret.

I intentionally did NOT flag other random-looking values (e.g., trace_id, task_id "88f635dd9b8e4a898abb9d4679e0edc8", voice IDs like "f9248f3b1b42447fb9282829321cfcf2", or audio_man "89843d52...") because those are resource identifiers (IDs) used in examples and are not credentials that grant access by themselves. Also there are no private key blocks or clear sk-/pk- style API keys elsewhere.