llm-models

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The URLs point to a single third‑party site that provides a remote install script (curl https://cli.inference.sh | sh) and downloadable binaries from a project-controlled dist subdomain — a common malware delivery pattern; the presence of same-host SHA‑256 checksums and documentation slightly lowers but does not eliminate risk because checksums hosted on the same domain can be tampered with if the site is compromised or malicious.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The Quick Start runs curl -fsSL https://cli.inference.sh | sh which fetches and executes remote installer code (and downloads binaries from dist.inference.sh) at runtime, making https://cli.inference.sh a required external dependency that executes remote code.