press-release-writing

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] The press-release-writing skill is a benign documentation/template skill whose runtime behaviors depend on the external inference.sh CLI and its backend services. The primary risks are operational: executing a remote install script (curl | sh), and sending potentially sensitive drafts/queries and credentials to third-party services when using 'infsh login' and 'infsh app run'. No hardcoded secrets, obfuscated code, or direct malicious actions are present in the skill text. Recommend caution: inspect the installer and verify checksums before running, limit the data you send to the external service, and prefer manual review of any credentials stored by the CLI. LLM verification: This SKILL.md appears to be legitimate documentation for a press-release writing skill that recommends using the inference.sh CLI for research. There is no direct evidence of embedded malware or obfuscated malicious code in the document itself. However, the file contains high-risk operational instructions: it recommends a 'curl | sh' installer and routes research and user-provided text through a third-party service (inference.sh). That creates a realistic risk of remote code execution at install