If Info-level messaging is enabled on the GP Service > Parameters > Message Level setting, the username and password information that is stored in the "Insert Token To Webmap JSON" tool is visible in plain text.
Workaround: This is only an issue when using Info level messaging. Leave it at the default (Error) or Warning instead of Info. In most cases, for a production level service, it is highly inadvisable to leave Info messaging on permanently. The other way to workaround this would be to embed the credentials as permanent values in the actual script file instead of making them variables within the script tool.
One other consideration: The entire toolbox and script is uploaded to the arcgisserver > arcgisinput directory upon publishing to ArcGIS Server. This means that anyone with permissions to view that file-system could potentially extract the credentials. When using best practices, however, this would not be a concern because these directories would only be accessible to GIS administrators anyway.
If Info-level messaging is enabled on the GP Service > Parameters > Message Level setting, the username and password information that is stored in the "Insert Token To Webmap JSON" tool is visible in plain text.
Workaround: This is only an issue when using Info level messaging. Leave it at the default (Error) or Warning instead of Info. In most cases, for a production level service, it is highly inadvisable to leave Info messaging on permanently. The other way to workaround this would be to embed the credentials as permanent values in the actual script file instead of making them variables within the script tool.
One other consideration: The entire toolbox and script is uploaded to the arcgisserver > arcgisinput directory upon publishing to ArcGIS Server. This means that anyone with permissions to view that file-system could potentially extract the credentials. When using best practices, however, this would not be a concern because these directories would only be accessible to GIS administrators anyway.