raycast-extensions
Audited by Snyk on Jun 30, 2026
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the skill content for high-entropy literal values that look like real credentials. I found one clear match in the test fixture file:
- File: evals/fixtures/dictionary-flawed/src/search.tsx
- const API_KEY = "dict_live_sk_8f3a9b2c1d4e5f6a7b8c9d0e";
This is a high-entropy, API-key–looking string (prefix "dict_live_sk_" and a long random suffix). Even though the file comment says it was a deliberately planted/fake secret and includes a gitleaks allow, it is still a literal, credential-shaped token in source and therefore should be treated as a secret per the rules.
No other high-entropy secrets were present. I ignored placeholders, doc templates, and simple example strings elsewhere (e.g., placeholders like {PR_MERGE_DATE}, preference examples, or plain words) because they are non-secret documentation values per the ignore rules.
Issues (1)
Secret detected in skill content (API keys, tokens, passwords).