secrets-management

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt contains examples that hardcode and echo secrets (e.g., export VAULT_TOKEN='root', vault kv put ... password=secret, aws --secret-string "super-secret-password", and echo "API Key: ${{ secrets.API_KEY }}"), which encourages emitting secret values verbatim in scripts/logs and thus risks exfiltration.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill contains runtime execution of externally fetched code — e.g., the pre-commit hook pulls and runs the Docker image trufflesecurity/trufflehog:latest, and the CI examples reference external GitHub Actions (hashicorp/vault-action@v2, actions/checkout@v4, aws-actions/configure-aws-credentials@v4) which are fetched and executed during workflow runs — so these are runtime external dependencies that execute remote code.