Open source maintainers have been complaining about this for a while. https://sethmlarson.dev/slop-security-reports. I'm assuming the proliferation of AI will have some significant changes on/already has had for open source projects.
>>Nicook+(OP)
Yes! I recently had to manually answer and close a Github issue telling me I might have pushed an API key to github.
No, "API_KEY=put-your-key-here;" is a placeholder and I should not have to waste time writing that.