active-record-encryption

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes literal encryption keys in example YAML and instructs storing and outputting them verbatim (e.g., in credentials or generated files), which encourages the LLM to emit secret values and creates an exfiltration risk.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I inspected the skill prompt for literal, high-entropy values that could be usable credentials.

Flagged items:

• The YAML example under "Generate and Store Keys" contains three literal, random-looking values:
• primary_key: YehXdfzxVKpoLvKseJMJIEGs2JxerkB8
• deterministic_key: uhtk2DYS80OweAPnMLtrV2FhYIXaceAy
• key_derivation_salt: g7Q66StqUQDQk9SJ81sWbYZXgiRogBwS These are high-entropy, appear to be real encryption key material, and are directly present in the documentation — so they meet the definition of secrets to flag.

Ignored items (not flagged) and why:

• Instances of placeholders such as config.active_record.encryption.primary_key = "..." — documentation placeholder (ignored).
• Key-rotation example entries like old_key_abc123 / new_key_xyz789 — low-entropy/example values (ignored).
• Ellipses ("...") and environment variable names (ENV["..."]) — placeholders or references only (ignored).
• Any simple example passwords or descriptive examples — treated as documentation placeholders per the provided rules.

Therefore this document includes hardcoded, high-entropy key material in the YAML example and should be treated as containing secrets.