image-forge

[Skill Scanner] Installation of third-party script detected All findings: [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] Overall, the skill fragment is internally coherent with its stated purpose as an image-forge pipeline combining deterministic image processing with AI-assisted edits. There are no hardcoded secrets, credential requirements, or suspicious install patterns. The main security concern is potential data exposure through external AI services; this is a governance/policy risk rather than an immediate code-supply-chain compromise. Recommend ensuring explicit data-handling policies for external AI endpoints and validating provenance of external models (Gemini/nano-banana-pro) and the Read tool. If those services are trusted and consented by users, the risk remains manageable as a typical AI-assisted image-processing workflow. LLM verification: This skill is coherent with its stated purpose (image editing), and most operations and examples are typical for an image-processing skill. The primary concerns are supply-chain and execution risks: it instructs users to install third‑party packages (brew/pip) and invokes external CLIs which fetch code or models; the docs contain an odd 'uv pip install' command that should be fixed; and the pipeline allows a `raw` magick op which — if implemented by concatenating into a shell command — is a comm