video-ad-specs

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). These URLs host a remote installer script (curl | sh) and downloadable CLI binaries plus checksums on a small/unfamiliar domain—piping a remote script to a shell from an untrusted source is a high-risk pattern because the provider could distribute malicious binaries or change checksums.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Quick Start instructs running "curl -fsSL https://cli.inference.sh | sh" (which downloads and executes a remote installer that in turn pulls binaries from dist.inference.sh) and that installer is required to get the infsh CLI used by the skill, so it clearly executes remote code at runtime.