Credential-handling risk report for Vexa-ai/vexa
phantomcreds detected repo-level code or deployment patterns that warrant maintainer review.
| Metric |
Value |
| Scan date |
2026-05-19 |
| Composite score |
0.350 |
| Findings |
1 |
| Issue-worthy findings |
1 |
| Discovery sources |
secret-path-pypirc |
Detected finding types: exposed_secret
Secret-bearing credential material appears committed in current repository files
- Severity:
high
- Confidence:
confirmed
- Summary: Current repository files appear to contain committed API keys or webhook-style credential material. 2 redacted secret indicators were found in fetched repository files. Evidence is redacted in the report output.
Evidence:
deploy/helm/README.md:53 - [REDACTED:postgres://USER:[REDACTED:[REDACTED]]@HOST:5432/vexa]deploy/lite/Makefile:160 - [REDACTED:postgresql://postgres:[REDACTED:[REDACTED]]@localhost:5432/vexa]
LLM Fix Guide
Recommended remediation order:
- Revoke or rotate the exposed credential(s):
credential material.
- Remove the committed secret material from the current branch and replace it with environment-variable or secret-manager loading.
- If the secret existed in prior commits, rewrite history or invalidate the old credential so historical clones are harmless.
- Add secret-bearing files to
.gitignore and provide a safe template file such as .env.example instead of live credentials.
Suggested prompt for an LLM coding assistant:
Remove the exposed credential material from this repository without breaking runtime configuration.
Replace committed secrets with environment-variable loading or secret-manager integration.
Add or update ignore rules so secret-bearing files are not recommitted.
Preserve existing behavior, but migrate any checked-in .env, private-key, or service-account material to safe templates.
Show the exact files changed and include a short post-fix verification checklist.
This scan is evidence-first and probabilistic. It is not an accusation of malicious intent.
If any finding is incorrect or outdated, please reply with corrected context and exact file references.
Automated by phantomcreds.
Project repo · Created by James Sawyer at JS Labs.
Credential-handling risk report for
Vexa-ai/vexaphantomcreds detected repo-level code or deployment patterns that warrant maintainer review.
Detected finding types:
exposed_secretSecret-bearing credential material appears committed in current repository files
highconfirmedEvidence:
deploy/helm/README.md:53 - [REDACTED:postgres://USER:[REDACTED:[REDACTED]]@HOST:5432/vexa]deploy/lite/Makefile:160 - [REDACTED:postgresql://postgres:[REDACTED:[REDACTED]]@localhost:5432/vexa]LLM Fix Guide
Recommended remediation order:
credential material..gitignoreand provide a safe template file such as.env.exampleinstead of live credentials.Suggested prompt for an LLM coding assistant:
This scan is evidence-first and probabilistic. It is not an accusation of malicious intent.
If any finding is incorrect or outdated, please reply with corrected context and exact file references.
Automated by phantomcreds.
Project repo · Created by James Sawyer at JS Labs.