citation-management

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill includes an example that injects a Semantic Scholar API key into a command-line flag (--api-key) via shell substitution, which instructs passing secrets on the command line — a high-risk pattern for secret exposure even if the LLM doesn't itself know the secret value.