civitai-gen

No direct malware behavior is evident in this module (no eval/obfuscation, no network calls, no reverse shell patterns). However, it enables security-relevant misuse by providing an arbitrary local file read primitive through --save-wildcard '@<path>' and by passing untrusted, user-controlled prompt/spec data into a spawned generate.mjs process. These behaviors warrant review of generate.mjs and addition of strict path/filename containment and input validation controls in this wrapper.