video-ad-specs

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). These URLs host a remote installer script and associated binary distribution on a single, non‑well‑known domain (curl | sh to https://cli.inference.sh which then downloads binaries from dist.inference.sh), a common and risky pattern because it executes remote code and relies on checksums served from the same domain rather than an independently verified signature—so while they may be legitimate, the distribution method is high risk for malware distribution.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Quick Start instructs running "curl -fsSL https://cli.inference.sh | sh" (which downloads and executes a remote installer that in turn pulls binaries from dist.inference.sh) and that installer is required to get the infsh CLI used by the skill, so it clearly executes remote code at runtime.