gpt-image

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Most URLs are social posts and documentation (low risk), but the package/CLI install references to third‑party GitHub repos (e.g., github.com/wuyoscar/gpt_image_2_skill and other community repos) that would be executed/installed by the SKILL (uv/uvx/git+ installs) are untrusted code distribution points and present a real risk if run locally without review.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.95). The skill's runtime fallback can call uv/uvx to fetch-and-run remote code via the git URL git+https://github.com/wuyoscar/gpt_image_2_skill (see scripts/generate.py _REPO_URL and the uvx/uv --from invocation), which executes remote code as a required transient dependency.