pitch-deck-visuals

Functionally, the package/docs are intended to automate pitch-deck visual creation and provide useful examples for HTML-to-image, Python chart rendering, and image generation. I found no explicit malicious payloads in the code snippets themselves. However, the project's recommended install and execution patterns create moderate-to-high supply-chain and data-exposure risks: pipe-to-shell installer, custom binary hosting, remote execution of user-supplied code, and use of third-party model endpoints that receive potentially sensitive content. These patterns can enable credential theft, data leakage, or arbitrary code execution by a compromised provider or distribution channel. Recommended actions before use: avoid running the unverified curl | sh installer (download and verify checksums or use reproducible packages), do not send sensitive or PII-containing slide content to remote executors unless provider privacy/retention policies are confirmed, limit CLI tokens and audit their use, and prefer local-only rendering or vetted distribution channels when handling proprietary data.