product-hunt-launch

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] No evidence of malware or hidden backdoors in the provided skill documentation. The functionality (image generation, search, and launch guidance) is coherent with the stated purpose. The main security considerations are (1) installing a remote script via curl|sh — a standard supply-chain risk unless checksums are verified, and (2) user prompts/images/search queries being sent to the inference.sh ecosystem (data/privacy consideration). Recommend users verify installer checksums before running, review the inference.sh privacy/data handling policy, and avoid sending sensitive secrets or proprietary images to the remote service. LLM verification: The skill description is coherent with its stated purpose of Product Hunt launch optimization, but the embedded installation pattern (curl ... | sh) and reliance on external CLI binaries introduce supply-chain and execution risks that are not mitigated within the fragment. While the content itself is instructional for launch planning, the install/execution approach exposes users to potential code execution from untrusted sources. The documentation would be safer if it mandated verified, pinned i