django-bolt

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt contains multiple examples that embed secret values directly in code/config (e.g., JWT_SECRET_KEY="your-secret-key", DATABASES PASSWORD="mypassword", docker env POSTGRES_PASSWORD=pass) and shows passing secrets as string arguments (JWTBearer(secret_key=...)), which encourages the LLM to include secret values verbatim in generated outputs—an insecure pattern that risks exfiltration.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt includes instructions to create/modify system-wide files and services (e.g., /etc/systemd/system/django-bolt.service, nginx and supervisor configs) and runs sudo systemctl/supervisor commands, which require elevated privileges and modify the machine state.