Microscopy Scale Bar Adder

This skill appears to implement the advertised functionality (adding calibrated scale bars) and does not request credentials or external installs, but there are important inconsistencies you should address before using it on real data: - CLI mismatches: SKILL.md uses flags like --image, --scale, --unit and position tokens without hyphens (e.g., 'bottomright'), while the script expects --input, --scale-length, --scale-unit and position values like 'bottom-right'. Update the docs or script so they match. - Path restriction is incomplete: the script's path traversal check only rejects '../' or leading '..'. It does not prevent absolute paths. If you want to restrict files to a workspace, require resolving to an absolute path and verify it is within an explicit workspace root (use os.path.abspath and compare prefixes). Until fixed, avoid passing absolute paths or run the script in a sandbox with only images you trust. - Metadata claim: SKILL.md promises to preserve original metadata, but the script converts images to RGBA and then may convert to RGB for JPEG without explicitly preserving EXIF/TIFF tags. If metadata preservation matters, test and patch to copy metadata when saving. - Font path portability: the script attempts to load /System/Library/Fonts/Helvetica.ttc; this will fail on non-macOS systems (it falls back to a default font, which may affect label appearance). Consider bundling or specifying a portable font path. Recommendations before installing/using: - Run the script in a restricted/sandboxed environment first with sample images. - Fix or reconcile the SKILL.md and the script so parameter names, position tokens, and error messages match. - Strengthen path validation to enforce that resolved absolute paths lie inside an intended workspace directory, and explicitly reject other absolute paths. - If you cannot modify the skill, only run it with controlled input files and do not pass absolute paths. Given these mismatches and the incomplete path protection, treat the skill as suspicious (likely sloppy/buggy rather than malicious). Patching the items above would move it toward benign/coherent.