技术宣发助手

This skill largely does what it claims but has two practical risks you should consider before installing: - Undeclared image API keys: The code will look for ARK_API_KEY, REPLICATE_API_TOKEN, and OPENAI_API_KEY and, if present, will send generated image prompts (which may include text derived from your PDF) to those third-party services. The skill metadata does not declare these env vars — treat any API key you set as allowing the skill to communicate with external providers. - Potential data leakage: If you run image generation (or forget to use --no-image), portions of the PDF content may be incorporated into prompts and uploaded. Do not use this skill with confidential or proprietary PDFs unless you review/strip sensitive content first. - Runtime pip installs: The skill will attempt to install pdfplumber, PyMuPDF, requests, Pillow, etc., at runtime if missing. Consider running in a sandboxed environment or pre-installing these packages yourself. Recommendations: - If you only need copy generation, run with --no-image (or ensure no image API keys are set) so nothing is sent to external image endpoints. - Inspect scripts/extract_pdf.py and generate_image.py locally and consider running them manually in a controlled environment first. - If you must enable image generation, avoid supplying production API keys; use limited-scope/test keys and review the generated image_specs.json before any automatic upload. - If handling sensitive documents, do not enable stage 4 (image generation) and consider sanitizing the PDF before use. If you want, I can list the exact lines where env vars and external endpoints are referenced and suggest small code edits (e.g., explicit confirmation prompt before any network call, or redaction options) to reduce the risk.