scientific-schematics

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains explicit examples that embed API keys directly (e.g., --api-key "sk-or-v1-..." and api_key="your_openrouter_key"), which encourages placing secret values verbatim into commands/code and thus requires the LLM to handle/output secrets directly.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill makes runtime API calls to OpenRouter (https://openrouter.ai/api/v1) to run the Nano Banana Pro image model and Gemini 3 Pro reviewer, and the review text returned is injected into improved prompts (via improve_prompt) to control subsequent generations, so this external URL is a runtime dependency that directly controls agent prompts.