Is luruibu/beauty-generation safe?
https://github.com/luruibu/beauty-generation
This is a legitimate AI portrait generation skill that interfaces with an external API service. While it contains extensive agent instructions and requires external API interactions, the functionality appears benign and safety-focused. Some canary file access attempts were detected during execution but no actual exfiltration occurred.
Category Scores
Findings (4)
MEDIUM Canary file access attempts -25 ▶
The skill environment attempted to access sensitive honeypot files including .env, SSH keys, AWS credentials, and other configuration files during execution. While no actual exfiltration occurred, these access attempts indicate potential security concerns.
LOW Extensive agent instructions -15 ▶
The skill contains over 1000 lines of detailed instructions for the AI agent, including specific workflows, error handling, and behavioral guidelines. While these appear legitimate for the skill's purpose, such extensive instructions could potentially be used to manipulate agent behavior beyond the intended scope.
LOW External API curl execution -10 ▶
The skill instructs the agent to execute curl commands for API interaction with gen1.diversityfaces.org. While necessary for functionality, this represents code execution that could pose risks if the external service is compromised.
INFO API key handling requirements -5 ▶
The skill requires users to provide their own API keys for the external image generation service. This is a reasonable security practice but introduces inherent risks around credential management.