image-upload

Functionally, the skill's capabilities align with its stated purpose: it reads a local image file, optionally obtains a temporary API key, and uploads the file to Lab Nocturne's image upload endpoint, returning the CDN URL. The primary security concerns are privacy and supply-chain trust: images (which may contain sensitive data) and an API key (even a temporary one) are sent to external domains controlled by the service. There is no evidence of hidden malicious behavior, download-and-execute patterns, or attempts to harvest unrelated credentials. The main recommendations are: (1) ensure users are aware that files will be uploaded externally and obtain consent before uploading sensitive files, (2) avoid echoing or logging API keys in verbatim, (3) document retention and access controls for uploaded files, and (4) users should verify the trustworthiness of the Lab Nocturne endpoints before use.