assembly-instructions

This skill's stated purpose (generate assembly manuals from YAML/SVG or AI images) aligns with the capabilities documented: reading project YAML and assets, rendering SVGs or calling an image generation API, and compiling PDFs. I found no explicit malicious code or backdoors in the provided documentation fragment. The primary security considerations are supply-chain and credential risks: (1) pip install -r requirements.txt with no pinned versions increases risk of compromised dependencies; (2) the GEMINI_API_KEY environment variable is required for AI image generation but the docs do not name the exact endpoint or SDK, so an implementation that forwards keys to an unintended host could leak credentials or content. If used as intended with pinned dependencies and calls to a trusted AI provider (and with clear handling of the GEMINI_API_KEY), the skill appears benign. Without the actual script implementations, moderate caution is warranted—review the scripts that handle GEMINI_API_KEY and the requirements.txt contents before running in sensitive environments.