pitch-deck-visuals

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). These URLs point to a non–well‑known domain providing a curl | sh installer and hosted binaries/checksums — a distribution pattern that is convenient but risky (remote shell execution, unsigned artifacts, and limited third‑party reputation), so it could be used to distribute malware unless you audit the script and verify checksums/signatures from a trusted source.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Quick Start instructs running curl -fsSL https://cli.inference.sh | sh (which downloads and executes a remote install script and pulls binaries from dist.inference.sh) and the skill then relies on that infsh CLI to run apps that execute code, so this is a runtime dependency that fetches and runs remote code (https://cli.inference.sh, https://dist.inference.sh).