scientific-schematics

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes insecure patterns (passing API keys via --api-key on the command line and embedding api_key="..." in example code) which would require the model to handle or reproduce secret values verbatim if users supply them, even though env-var usage is also shown.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The generator calls the OpenRouter API at runtime (https://openrouter.ai/api/v1) and uses the returned review text/critique to programmatically modify prompts (via improve_prompt) for subsequent generations, so content fetched from that URL directly controls the agent's prompts.