video-ad-specs

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] No malicious code is present in the SKILL.md content. The file contains documentation and example invocations of the inference.sh (infsh) CLI and remote AI apps to generate, merge, and caption video ads — behavior consistent with the stated purpose. The main security considerations are supply-chain/trust-related: installing a remote shell script (curl | sh) and executing a downloaded binary from dist.inference.sh requires trusting that provider and verifying checksums; and user prompts and media files will be sent to remote inference endpoints (privacy/data exposure risk). There are no hardcoded secrets, obfuscated payloads, nor indications of covert exfiltration to unrelated domains within this document. LLM verification: The document itself is a legitimate usage/guide for creating platform-specific video ads and running generation workflows via the infsh CLI. There is no direct evidence in the text of embedded malware or obfuscation, but the Quick Start practice of piping a remote install script into sh and the reliance on a centralized third-party operator (inference.sh / dist.inference.sh) constitute meaningful supply-chain and data-exposure risks. If users follow these examples, they should independently veri