mcp-tokenflux-images

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 1.00). Yes — the skill tells the user to run a curl | sh from a raw GitHub script in an unfamiliar repo (directly executing a .sh from an untrusted source is high-risk), and it depends on an unverified API domain (tokenflux.ai) for a third‑party CLI, so the combination could distribute malware or exfiltrate credentials.