scientific-schematics

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes insecure examples that embed API keys directly (e.g., --api-key "sk-or-v1-..." and api_key="your_openrouter_key") and shows passing keys on the command line or in code, which would require the LLM to output secret values verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill makes runtime API calls to OpenRouter (https://openrouter.ai/api/v1, referenced also via https://openrouter.ai/keys) to run Nano Banana 2 and Gemini 3.1 Pro Preview, and the text critique returned by the remote Gemini review is fetched at runtime and directly used to modify/construct subsequent prompts (so remote content controls agent prompts and is a required dependency).