telnyx-video-javascript

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes a literal refresh_token (a JWT-like secret) embedded in example code that demonstrates passing a secret value directly in a request payload, which is an instruction pattern that can cause the LLM to output secrets verbatim.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). The example includes a full, high-entropy JWT (three base64url parts with a long signature) used as the refresh_token in the refreshClientToken example. This is a literal credential (refresh token) present in the docs — not a placeholder, truncated value, or simple example password — and could be used to obtain access (i.e., it's a usable secret). I did not flag environment variable names (e.g., TELNYX_API_KEY) because those are just variable names without values. Recommended actions: remove the token from docs, rotate/revoke it immediately, and replace with a placeholder or instruct readers to use environment variables.