ai-voice-cloning

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] This skill documentation is coherent with its stated purpose: running TTS and voice-cloning models via the inference.sh CLI. There are no clear signs of code-level malware in the document. Primary risks are: (1) executing the provided install pattern (curl | sh) without showing pre-execution checksum verification, which is an operational security risk; and (2) privacy/abuse risk from uploading voice samples and text to a third-party service for voice cloning (potential impersonation). No hardcoded secrets, obfuscated code, or explicit exfiltration to unrelated domains were found. Recommend: (a) prefer manual download + checksum verification or show verification steps before execution; (b) document consent and retention policies for uploaded voice data; and (c) restrict agent permissions or review allowed-tools scope before granting the skill network/execution rights. LLM verification: This skill document describes a legitimate-seeming remote TTS service invoked via a third-party CLI. The content and examples are coherent with the stated purpose. However, there are supply-chain and privacy concerns: the Quick Start recommends piping a remote installer into sh (curl | sh) and relies on a third-party distribution domain (dist.inference.sh) and remote inference endpoints (inference.sh). These are legitimate mechanisms for a hosted TTS service but carry risk: the binary could be m