piclist-upload

The script is not obfuscated and contains no obvious backdoor or dynamically executed code, but it provides functionality that can exfiltrate any local files referenced by Markdown to a configured HTTP endpoint and will delete local image files by default. If PICLIST_SERVER is pointed to a malicious remote host (or an attacker can control the environment), sensitive data can be uploaded and removed from disk. Treat this as a moderate supply-chain risk: safe when running against a trusted local PicList server, but potentially dangerous if misconfigured or run in untrusted environments.