scientific-schematics

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes examples that instruct embedding API keys directly in command-line flags and in-code parameters (e.g., --api-key "sk-or-v1-..." and api_key="..."), which are high-risk patterns that require the LLM to handle or output secret values verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime API calls to OpenRouter (https://openrouter.ai/api/v1) to run Gemini/Nano Banana models and it parses the returned review/critique text which is injected back into the improved prompt (via review_image → improve_prompt), so remote content from https://openrouter.ai directly controls subsequent prompts and is a required dependency (OPENROUTER_API_KEY).