google-veo

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). These URLs belong to a single third‑party domain offering a CLI install script (https://cli.inference.sh) that the skill instructs users to pipe directly to sh and download binaries from dist.inference.sh—an installation pattern that can be legitimate but is inherently risky because executing remote shell scripts and fetching executables from an unverified domain can distribute malware unless checksums/signatures are independently verified.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The Quick Start uses "curl -fsSL https://cli.inference.sh | sh", which fetches and immediately executes a remote install script (https://cli.inference.sh) required to install the infsh CLI that the skill uses to run models.