managing-tls-certificates

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs embedding base64-encoded client_cert and client_key directly into the changefeed URI (client_key is private key material), which would require the LLM to include secret values verbatim in generated SQL/URIs, creating an exfiltration risk.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill instructs creating and rotating CA/private keys, uploading client CAs, copying certs to nodes, and reloading processes (e.g., kill -SIGHUP), all of which modify system state and require administrative access or write access to sensitive system locations, though it does not explicitly ask for privilege escalation or creating new user accounts.