qwen-image

The manifest enables image generation/editing via an external CLI ecosystem but presents notable supply-chain and data-flow risks due to remote installer execution (curl | sh), reliance on external binaries, and lack of explicit artifact signing/pinning or per-action data-flow controls. While checksum references exist, the absence of verifiable signing or reproducible builds increases risk. Treat as SUSPICIOUS with elevated caution; implement mitigations such as signed/artifact-pinning, restricted data exposure, and explicit user consent for data sent to external services.