openlicense-images

SUSPICIOUS. The skill’s overall purpose is coherent, but its trust model is weaker than claimed and the license-verification pipeline is unsafe: it derives a local file path from remote image bytes and uses a flawed directory-safety check. There is no evidence of credential theft or overt malware, but the combination of mutable personal-repo content and risky shell/path handling makes this a medium-risk skill.