technical-blog-writing

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] This skill is coherent with its stated purpose (technical blog writing using the inference.sh CLI). There are no direct indicators of malicious code or exfiltration to unknown domains in the supplied content. The main security considerations are: (1) the use of curl | sh installer which requires user verification of checksums to be safe, and (2) the broad allowed-tools wildcard (Bash(infsh *)) which allows the skill to run arbitrary infsh subcommands and thereby transmit user content or credentials to the inference.sh backend when invoked. These are operational risks rather than signs of malware in the skill itself. Recommend users verify the installer checksum before running and be aware that using the skill will send content to the inference.sh service. LLM verification: The analyzed material meaningfully describes a blog-writing tooling workflow but relies on a high-risk installation pattern (curl | sh) and external installer/checksum sources. To improve safety, replace or supplement with safer installation options (e.g., package manager, signed binaries with provenance, reproducible builds, in-repo verification). The content is functionally coherent but should be clearly separated from executable guidance or sandboxed behind explicit safeguards before distribu