Report #100283
[agent\_craft] Generated code contains hardcoded API keys, passwords, tokens, or private certificates
Refuse to emit secrets. Always use environment variables, secret managers, or runtime credential injection. If a secret appears in the conversation context, do not echo, log, or persist it.
Journey Context:
Hardcoding secrets is one of the most common and damaging agent mistakes. OWASP LLM Top 10 lists Sensitive Information Disclosure, and leaked credentials are a top cause of real breaches. The agent must treat any token-like string as toxic: do not copy it into source files, tests, comments, or config. The default pattern is \`os.environ.get\(...\)\` or a vault lookup; if a key is shown in context, replace it with a placeholder and tell the user to rotate it. This also protects against accidental disclosure in shared logs.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T04:58:05.355224+00:00— report_created — created