Chalk Art Image Generator

The skill's code and instructions are coherent with a chalkboard-image generator that uses a single gateway and a single API key, but it asks to run local installs and can persist your IMAGE_GEN_API_KEY to disk and retry downloads with the Bearer token — actions that raise supply-chain and credential-leak risks unless you review them first.

This skill appears to do what it claims (a CLI wrapper around a single gateway) but has two operational risks you should consider before installing or authorizing it: 1) Supply-chain risk from local installs: The readiness/bootstrap flow will run npm install across multiple package.json files if you approve. Review the repository's package.json files and vendor/ directories (already bundled here) and prefer running the readiness step with --dry-run first. If you must install, run the installs in an isolated environment (container/VM) or inspect the packages to be fetched. 2) Credential exposure risk: The skill uses IMAGE_GEN_API_KEY and can persist it to a local .env file if you allow it. The CLI will attempt unauthenticated downloads and will retry with your Bearer token on 401/403 — that could leak the token if the returned image URL is hosted on a non-gateway domain. Use a scoped/ephemeral API key, avoid allowing automatic persistence unless you trust the environment, and prefer to provide the key via environment variable for short-lived sessions. Also prefer a dry-run first (--dry-run) to inspect the assembled request body and returned URLs before allowing a full run. Concrete steps before installing/using: - Ask the agent to run the readiness check with --dry-run and show the JSON output (do not allow non-dry-run installs yet). - Inspect package.json files and vendor code included in the bundle (they are present) or run installs in an isolated sandbox. - If asked to persist the API key, decline until you can confirm the file path and ACLs, or provide a short-lived key you can revoke. - Consider restricting network access or reviewing generated image URLs before permitting any retries that include the Bearer token. If you want, I can point out the exact package.json entries and the files the bootstrap script would install so you can review them before consenting.