sast-hardcodedsecrets
Detects hardcoded sensitive data in publicly accessible code using a three-phase approach to enhance security assessments.
Install this skill
or
70/100
Security score
The sast-hardcodedsecrets skill was audited on Jun 13, 2026 and we found 6 security issues across 2 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
medium line 106
Webhook reference - potential data exfiltration
SourceSKILL.md
| 106 | | Slack Webhook URL | `hooks.slack.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[A-Za-z0-9]+` | |
medium line 58
Access to .env file
SourceSKILL.md
| 58 | - **Environment files** — `.env`, `.env.local`, `.env.production` (unless served statically) |
medium line 143
Access to .env file
SourceSKILL.md
| 143 | - **Environment variable references**: `process.env.API_KEY`, `os.environ["SECRET"]`, `ENV["KEY"]` — these read from the environment at runtime, not hardcoded |
medium line 194
Access to .env file
SourceSKILL.md
| 194 | > - Environment variable reads: `process.env.*`, `os.environ[*]`, `ENV[*]`, `System.getenv(*)` — these are not hardcoded |
medium line 292
Access to .env file
SourceSKILL.md
| 292 | > - `.env` files, server config files, Docker/CI files |
medium line 405
Access to .env file
SourceSKILL.md
| 405 | - **`NEXT_PUBLIC_*`, `REACT_APP_*`, `VITE_*` env vars**: These are embedded into client bundles at build time. If the code references `process.env.NEXT_PUBLIC_API_KEY`, that IS client-accessible — but |
Scanned on Jun 13, 2026
View Security Dashboard