baoyu-image-gen

This SKILL.md describes an image-generation agent skill that legitimately requires API keys, reads local preference/config files, and calls provider APIs (OpenAI, Google, DashScope, Replicate). I found no deliberate obfuscation, hardcoded secrets, or explicit malicious behavior in the provided text. Primary risks are operational/misconfiguration: reading/writing EXTEND.md and .env files increases credential exposure; allowing user-settable provider base URLs could redirect credentials and generated data to attacker-controlled endpoints; and parallel background subagents increase the effective attack surface if the agent runtime grants broad permissions. Overall, the skill appears functionally consistent with its stated purpose, but operators should treat env/base-URL overrides and background subagent execution cautiously and ensure API keys and base URLs are trusted before use.