Security risk report for @forgecat/openai_skills_imagegen v0.0.10
Source Integrity
Low
Profile is attributed to OpenAI with a public GitHub repository link and Apache-2.0 license.
Commit hash and timestamp are provided for traceability; no obfuscation or suspicious provenance indicators detected.
Agent Intent
Low
Content describes legitimate image generation workflows (built-in tool vs. CLI fallback) with clear decision trees and guardrails; no instructions to ignore system prompts, exfiltrate data, or modify credentials.
Guidance on prompt structure, specificity, and iteration is educational and security-conscious (e.g., 'Never modify scripts/image_gen.py', 'ask the user before doing anything else').
References to network access and approval policies are transparent safety documentation, not hidden manipulation.
Details
Evidence
'Never modify scripts/image_gen.py. If something is missing, ask the user before doing anything else.'
'Use the bundled CLI directly (python "$IMAGE_GEN" ...) after activating the correct environment. Do not create one-off runners.'
Workflow step 5: 'Collect inputs up front: prompt(s), exact text (verbatim), constraints/avoid list, and any input images.'
Permissions
Low
No tool definitions or MCP servers are declared in this profile; the skill is purely instructional guidance for using built-in image generation tools.
References to CLI execution (python scripts, environment variables) are conditional on explicit user request and documented as fallback-only, not automatic.
Network access and approval policies are explicitly surfaced to the user as configuration decisions, not hidden or forced.
Details
Evidence
'No tool definitions or MCP servers declared.'
'Use only when the user explicitly asks for the CLI path. Requires OPENAI_API_KEY.'
'If the user explicitly chooses CLI fallback, then and only then use the fallback-only docs...'
MCP Risk
Low
No MCP servers are defined in this profile.
The skill relies on built-in image generation tools and optional CLI scripts, both of which are scoped and documented.