Following problem: I configured a !secret in configuration.yaml. A few weeks later, I came back to the automation that was using the secret, but using the UI to edit the automation this time.
The secret parameter is here resolved to its clear value in the UI. Thus, no chance to see in the UI that a secret is used at all.
Now the problem: if you save the automation after changing anything the automation in the UI, it will write the clear value of the secret to the configuration.yaml.
Still, as it might be weeks or month later since the first setup, I will not notice my secret getting exposed as cleartext into the configuration.yaml.
This is a critical security issue!
It would be way better if the param: !secret value would be shown just as is in the UI. Two advantages: you do not expose the secret to the user (eg if you’re showing others you automation), plus when saving changes of the automation with UI editor, you keep the !secret configuration.