photoshop-automator

[Skill Scanner] Backtick command substitution detected The package is functionally coherent for Photoshop automation and does not show direct signs of stealthy malicious code, obfuscation, hardcoded credentials, or built-in network exfiltration. However, it exposes a high-privilege primitive (runScript) that executes arbitrary ExtendScript with filesystem access. That capability is inherently risky when scripts or parameters are not fully trusted. Recommended mitigations: restrict runScript to reviewed scripts only, add allowlisting of permitted APIs or paths, implement an approval workflow or dry-run step, and ensure safe command invocation (avoid shell concatenation). Treat the package as acceptable in trusted environments but high-risk in untrusted contexts. LLM verification: Functionally correct for Photoshop automation but contains an explicit high-risk feature: runScript executes arbitrary ExtendScript with full access to the host filesystem and Photoshop process. There are no direct indicators of built-in malware (no network callbacks, no hardcoded secrets), but allowing unvetted script execution enables local data theft, data loss, or destructive actions. Use only with trusted, reviewed scripts or add guarding controls (human review, whitelisting, sandboxing) be