creative-orchestrator

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] The skill appears to be a legitimate orchestrator for creative asset generation, and most capabilities align with the stated purpose. However, there are several supply-chain and operational risks: a hardcoded-looking API key appears in the document, the automation code is distributed via a repository-local zip whose origin is not specified, and the skill encourages automatic invocation of other agent skills (granting broad action scope). These factors increase the chance of credential misuse, unintended exfiltration, or execution of unreviewed code. I rate this as SUSPICIOUS — it should be audited before use (remove or rotate the embedded key, inspect the contents of vibe-creative-automation.zip and the fal_api/claude_integration modules, and limit automatic agent invocations). LLM verification: This skill's stated purpose (orchestrating creative workflows and generating assets) matches the described capabilities, but the trust and transparency issues are significant. The requirement to extract and execute an opaque local bundle (vibe-creative-automation.zip) and the inclusion of a concrete API key example, combined with instructions to .gitignore the bundle, are strong red flags. Without inspecting the contents of the bundled Python modules and verifying the network endpoints Nanobanan