create-pitch-deck

SUSPICIOUS. The core deck-generation behavior is consistent with the stated purpose, and there is no download-execute or credential-forwarding pattern. The main concern is telemetry: it can POST to an arbitrary config-supplied endpoint and appears to do so in the preamble before first-run consent is handled, creating a moderate data-flow and privacy risk disproportionate to a pitch-deck skill.