pitch-deck-visuals

The skill’s stated purpose (generating investor pitch visuals via a CLI) reasonably aligns with its described capabilities (HTML-to-image rendering, slide framework, and sample visuals). However, there is a notable supply-chain risk due to downloading and executing an external binary (dist.inference.sh) not tied to a widely recognized package registry, even with checksum verification. Credential handling is implied (login) but not clearly secured or audited within the excerpt. Data flows involve user-provided content and external CLI endpoints, which warrants caution around data exposure and provenance. Overall, the skill is SUSPICIOUS due to supply-chain and data-flow concerns, with a need for stronger provenance, transparent security guarantees (signed releases, verifiable source code, clear credential handling), and explicit, minimized data handling policies.