ai-avatar-video

[Skill Scanner] Pipe-to-shell or eval pattern detected The skill documentation itself appears functionally coherent and aligns with its stated purpose (running hosted avatar and lipsync models via the infsh CLI). However, it directs users to execute a remote install script via curl | sh and to use an external CLI (infsh) that will handle credentials and upload media to inference.sh — this is a high-risk supply-chain pattern. There is no direct evidence of embedded malware in the provided text, but the download-and-execute install plus reliance on a third-party CLI and unpinned npm installs creates a moderate-to-high security and privacy risk. Recommend avoiding pipe-to-shell installation; instead require inspecting/pinning the CLI release, use distribution via official package managers with checksums, and review the infsh CLI source and its token storage/audit logs before use. LLM verification: This SKILL.md correctly documents workflows for AI avatar and lipsync video generation using a third-party CLI and remote inference apps. The primary security concern is the unverified pipe-to-shell installer (`curl | sh`) which executes remote code without integrity checks; combined with a centralized gateway model that routes all user media and credentials through inference.sh, this creates a non-trivial supply-chain and data-exfiltration risk. There is no direct evidence of malware or obfusca