cli-gpt-image

SUSPICIOUS. The skill's purpose broadly matches its image-generation behavior, but it relies on a custom wrapper that reuses Codex CLI OAuth tokens from ~/.codex/auth.json through an unofficial flow and an unreviewed local installer. That is disproportionate enough to raise concern about credential handling and install trust, though there is not enough evidence here to call it malicious.