logo-design-guide

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] This skill appears functionally consistent with a logo-design guide that uses the inference.sh CLI to run remote image-generation models. There is no explicit malicious code inside the doc, but there are notable supply-chain and data-exposure risks: the use of curl | sh to install a third-party binary, routing prompts/images and credentials through the inference.sh gateway (provider endpoints and data practices are not fully specified), and wide CLI permissions (allowed-tools with wildcard). These make the skill SUSPICIOUS from a supply-chain and privacy standpoint — acceptable if users audit the installer and trust the inference.sh ecosystem, but potentially dangerous if the remote service or install script is compromised. Recommend auditing the install script, verifying checksums from an independent channel, and understanding the CLI's credential storage and backend endpoints before use. LLM verification: The file is a benign logo-design guide that references the inference.sh CLI for AI image generation. The primary security concern is supply-chain and data-exfiltration risk from the recommended piped installer (curl | sh) and from running a third-party CLI that sends prompts/images to remote model backends. There is no evidence in the document itself of obfuscated or malicious code, but the recommended installation and runtime flows warrant caution: verify checksums, inspect installer and CLI co