scientific-schematics

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed API keys directly (e.g., --api-key "sk-or-v1-...", api_key="your_openrouter_key") and a flag to pass keys on the command line, which instructs copying secrets verbatim into code/commands and therefore risks secret exfiltration.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill makes runtime calls to the OpenRouter API (https://openrouter.ai/api/v1 and the key provisioning URL https://openrouter.ai/keys) and uses the model's review responses (Gemini 3.1 Pro Preview) to generate critiques that are injected back into subsequent prompts, so external content from that URL directly controls prompt refinement and is a required dependency (OPENROUTER_API_KEY).