When mirroring an external repository to quay, skopeo processes are generated to copy the information. By doing a ps on the host where that command is being executed you can see the user and password being used in plain text.
1001 39351 38470 10 13:23 ? 00:00:00 /usr/bin/skopeo copy --all --remove-signatures --src-tls-verify=False --dest-tls-verify=True --dest-creds manrique+robotmirror:TGKB32T8C58VHR4SVAS44Q8WS249RXSWJSW1634ZXM5XQQJMXIPQ5HTDGJTPT5FC --src-creds mangarci:xxxxxxx docker://quay.io/openshift-release-dev/ocp-release:4.1.20 docker://ip-10-0-1-73.eu-west-1.compute.internal/manrique/ocp4-mirror:4.1.20