Context-Inappropriate Capability
High
- Confidence
- 98% confidence
- Finding
- The script directly configures external service credentials and endpoints, including a hardcoded API key, in a local test file without any access control or disclosure mechanism. Embedding secrets in source code is dangerous because anyone with repository or artifact access can reuse the credential, incur costs, access third-party services, or pivot into related environments.
