adobe-illustrator-web

This skill's stated purpose (automating Adobe Illustrator Web) can be legitimate, but the delivery and authentication model contain multiple supply-chain and credential risks. The install instructions use a curl|bash pipeline from a third-party domain with no integrity checks, which is a high-risk distribution vector. The skill requests storage of Adobe credentials in a local helper (canifi-env) and describes Playwright automation that will access authenticated browser sessions and possibly 2FA flows (iMessage). Those capabilities are plausible for automation, but they are also exactly the mechanisms an attacker would use to harvest credentials, session tokens, or user files. There is no pinned provenance, checksum, or repository link to audit the installer. Overall I assess this as a medium-to-high security risk: the content is not confirmed malicious, but the combination of download-and-execute, credential handling, browser automation, and third-party endpoints is suspicious and requires careful review before trusting or installing. Recommended mitigations: avoid curl|bash installs, require signed artifacts or public repo audits, prefer manual browser login-only mode (no credential storage), run installer in a sandboxed environment, and inspect installer contents before execution.