Missing User Warnings
Medium
- Confidence
- 94% confidence
- Finding
- The skill explicitly instructs users to set multiple high-privilege cloud credentials, a Slack webhook, GitHub token, and Vault address, but provides no warning about least-privilege use, secure storage, scope minimization, or the risk of exposing these secrets in shells, logs, or generated artifacts. In the context of a skill that automates multi-cloud deployments, these credentials can enable broad infrastructure changes and data access, so normalizing direct secret handling materially increases the chance of compromise or misuse.
