image-gen

[Skill Scanner] Credential file access detected The skill's functionality (image generation and selfie management) is coherent, but it contains deliberate instructions that create significant privacy/data-leakage risk: chiefly, the requirement to exfiltrate the entire internal system prompt into external model prompts and to include all appearance and potentially sexualized details verbatim. Additional practical risks come from contradictory save instructions and the opaque alma CLI/network boundary. There is no direct evidence of malware or obfuscation in this file, but the described behavior would facilitate sensitive-data exfiltration if the alma CLI or its backends are untrusted or compromised. Recommend removing system-prompt exfiltration, clarifying save behavior, restricting sensitive content generation, and requiring documentation of alma's network endpoints and API key handling before use. LLM verification: SUSPICIOUS: The skill's stated purpose (image generation and face-consistent selfies) is reasonable, and the CLI-based selfie album is a plausible implementation detail. However several elements are disproportionate or risky: the requirement to copy the full system prompt (which may contain sensitive or private configuration and possibly secrets) into every selfie prompt results in unnecessary exfiltration of internal agent data to external image APIs. The skill also encourages saving and reusin