--prompt is a global parameter that allows for passing input to stdin, instead of specifying it on the CLI. This is useful for passing confidential information, such as passwords (documented as a common use case @ https://developer.wordpress.org/cli/commands/config/create/#examples).

In case of an error, WP-CLI outputs the full command it runs to stdout. When using --prompt, WP-CLI runs a different command than the user-specified one, as the parameters and arguments specified in --prompt are added to the cmdline.

When using --prompt=dbpass, the stdin value of dbpass (--dbpass='test') is echoed to stdout:

$ /usr/local/bin/wp config create --dbname=wordpress --dbuser=wordpress --dbhost=localhost --prompt=dbpass --path=wp
1/10 [--dbpass=<dbpass>]: test
# This is stdout
wp config create --dbname='wordpress' --dbuser='wordpress' --dbhost='localhost' --dbpass='test' --dbprefix='wp_' --dbcharset='utf8' --dbcollate=''
# This is stderr
ERROR 1045 (28000): Access denied for user 'wordpress'@'localhost' (using password: YES)

This defeats the purpose of using --prompt for security, as stdout may end up in logs and user terminals.

I think it would be useful to hide parameters/arguments specified using --prompt from the cmdline in stdout.

P.S. I'm aware that --quiet suppresses stdout output, but having stdout can be useful for debugging.