Credential access pattern in skill content
What it detects
References to credential file paths — ~/.aws/credentials, ~/.ssh/id_rsa, .env (excluding .env.example), ~/.npmrc, ~/.docker/config.json, and similar — inside SKILL.md content or scripts bundled with a skill.
Severity scales with context. A bundled shell script that reads a credential path is HIGH, and CRITICAL if an exfiltration verb (send, upload, curl, post) appears nearby. A skill description that imperatively instructs the agent to read and report a credential file is CRITICAL. A passive documentation reference ("see ~/.aws/credentials for setup") is excluded entirely.
Skill files are loaded automatically with agent trust — there's no install step or dependency manifest the way there is for a server binary, so this class of finding is invisible to scanners that only check server code.
Real example
Three SKILL.md files instruct credential file access. AI-confirmed.
How to fix it
If the skill legitimately needs a credential, use an environment variable injected at runtime via the MCP server config — never a disk path read from inside a skill description or tool handler. Passive setup documentation ("copy .env.example to .env") is fine; an instruction to read and act on the contents of a real credential file is not.