creative-toolkit

This skill's stated purpose (multi-provider image generation, prompt enhancement, ComfyUI workflow management) aligns with the capabilities documented. The primary security concerns are supply-chain and privacy-related: running the package via `npx meigen@latest` (un-pinned remote code execution) is the highest-risk pattern, and uploading reference images to an external CDN exposes user-supplied content. The skill requires API tokens and config files; if a user points the skill at a malicious OpenAI-compatible endpoint or if the package forwards credentials, tokens could be exfiltrated. The documentation asserts no telemetry and direct provider calls, but that claim cannot be validated without source inspection. Overall, the code appears plausible for its purpose with normal convenience trade-offs, but the unpinned remote execution plus credential and file-upload sinks justify a medium-to-high security risk. Recommended mitigations: run from pinned package versions, inspect the meigen source before use, host or verify the CDN provider for uploads, and only configure trusted provider endpoints.