This page ships live-looking API keys and credentials directly in its HTML/JS, plus a DB URL hidden in an HTML comment and a JS sourcemap that re-exposes original source. Every value is fabricated and scoped to vuln-lab.test — safe to leak.
Trigger: view-source:/secrets/ or scan the inline JS / /assets/app.js.map.
Detected by: browser_cdp_js_secrets_scan