implementing-secrets-management-with-vault

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains example commands and configuration that embed plaintext secrets (e.g., access_key=AKIAEXAMPLE, secret_key=secretkey, oidc_client_secret="vault-client-secret", database password entries and templates that render DB_PASSWORD) as literal values, which instructs the agent to handle or emit secret values verbatim and thus creates an exfiltration risk.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill contains explicit commands and configuration paths that modify system-level files and services (e.g., /opt, /var/log, listener TLS keys, audit backends, Vault init/rotate operations) which would change the host state and typically require elevated privileges, so it should be flagged.