adobe-express

The skill's intended functionality (automating Adobe Express via Playwright) is plausible for legitimate automation, but the provided materials exhibit several supply-chain and credential-management anti-patterns that elevate risk: unpinned curl|bash installers from a third-party domain, instructions to persist plaintext credentials locally, broad Playwright automation privileges, and sparse detail on secure 2FA handling. I did not observe explicit hardcoded secrets, obfuscated code, or overt exfiltration endpoints in the supplied fragment, but the installation and runtime patterns are high-risk and warrant auditing of the referenced installer scripts and runtime code before use. Recommended mitigations: avoid piping remote scripts to bash without audit, perform manual installation and code review of canifi-hosted scripts, prefer OAuth or short-lived tokens where possible, restrict Playwright to isolated profiles and limit filesystem access, and instrument network monitoring during initial runs.