check-harness

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt requires reading project/user config files (e.g., settings.json, MCP settings, .claude/rules) and explicitly demands "evidence strings" and a runtime inventory to be recorded/output, which can force the model to include API keys or secrets verbatim in reports, so it creates a high exfiltration risk.