laniameda-gallery-ingest

SUSPICIOUS. The core Convex-ingest behavior matches the stated purpose, but the skill also authorizes autonomous repo/skill updates and transitive skill installation, which expands trust beyond simple content ingestion. Data flow to Convex is proportionate, yet the update/install instructions and root .env access raise medium security risk.

No clear evidence of intentional malware, obfuscation, or backdoor logic in this fragment. However, it is security-sensitive: it can read arbitrary local files specified by untrusted input, base64-encode the contents, and transmit them to a remote endpoint configured via environment variables. It also forwards user-supplied URLs to the backend without validation, which could enable SSRF-like risks depending on server-side behavior. Treat as a potentially high-impact data exfiltration risk under misuse or compromised input/environment; ensure strict input validation, file path allowlisting/sandboxing, and backend URL fetching controls.