ai-product-photography

The skill's stated purpose (AI-driven product photography via a CLI with multiple models) is coherent with its workflow. However, the install/execution pattern (curl-based download of an unverifiable binary and remote model endpoints) introduces significant supply-chain, credential, and data-flow risks. The presence of a login flow and remote generation endpoints compounds potential data exposure concerns. Given the combination of download-execute installation from an unknown domain and data flowing to external services, the overall risk is suspicious to high, with strong justification for treating as at least MEDIUM-HIGH risk until provenance and security controls are proven (verified checksums, registry-based installation, explicit data handling policies, and minimized local credential exposure).