think-framework-advisor

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt mandates copying 3–12 exact substrings from the user's input into the public "source ledger" (exact quotes), so if a user pastes API keys, tokens, passwords, or other secrets those will be reproduced verbatim in the model's output, creating an exfiltration risk even though the skill doesn't explicitly request credentials.