scientific-schematics

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains explicit examples that embed API keys directly (e.g., --api-key "sk-or-v1-..." and api_key="your_openrouter_key"), which encourages placing secret values verbatim into commands/code and thus requires the LLM to handle/output secrets directly.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime API calls to OpenRouter (https://openrouter.ai/api/v1) to both generate images and to obtain Gemini 3 Pro review text that is then injected into improved-generation prompts (remote review content directly controls subsequent prompts), and the OpenRouter service is a required dependency (OPENROUTER_API_KEY), so this is high-confidence risky external control.