scientific-schematics

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes insecure examples that embed API keys verbatim (e.g., a --api-key CLI flag with "sk-or-v1-..." and a hardcoded api_key parameter in Python), which encourages placing secrets directly into commands/code rather than keeping them only in environment variables.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime API calls to https://openrouter.ai/api/v1 (OpenRouter/Gemini endpoints), and the text critiques returned by that service are parsed and injected into improved generation prompts (thus remotely controlling prompts and the iterative generation flow), so this is a runtime external dependency that directly controls agent instructions.