product-photography

The skill demonstrates coherent purpose-capability alignment for AI-assisted product photography generation via a CLI, including multiple shot types and editing steps. However, the install/execution footprint relies on a download-and-execute pattern from external domains (curl|sh to https://cli.inference.sh and binaries from dist.inference.sh) with checksum verification mentioned but not fully verifiable in-context. This creates a notable supply-chain and data-flow risk. The data flows primarily through the external CLI/toolchain rather than directly via explicit, auditable API calls, raising concerns about data provenance and potential exfiltration. Overall, the skill is SUSPICIOUS due to download-execute installation flow from unverified sources and potential third-party tool propagation, but not clearly malicious without additional evidence of credential harvesting or exfiltration. Recommend tightening install provenance (official registries or signed binaries), explicit data-use policies, and per-action user consent for external executables.