image-studio

The skill's functionality and purpose are clear: make multi-provider image generation seamless by routing requests through a hosted proxy. The reviewed files do not contain direct malicious code, but the architecture centralizes sensitive data and credentials at a third-party proxy (default: image-gen-proxy.vercel.app) without published privacy/retention or security guarantees, which is a meaningful supply-chain and data-exfiltration risk. Recommended actions before trusting the package: (1) obtain and review the proxy implementation and its hosting account practices; (2) review tools/generate.js locally for secret handling, logging, and network behavior; (3) if using in production or with sensitive prompts, deploy your own proxy under your control and keep provider keys secret; (4) avoid sending sensitive or proprietary prompts to the default hosted proxy. Treat the package as convenient but with elevated trust requirements until the proxy and local script are audited.