ai-video-generation

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The set includes an instruction to run a remote installer via "curl ... | sh" (https://cli.inference.sh), along with many placeholder/unknown direct file links (media and script-like names) that could host malicious payloads or be swapped for executables—so while some links are documentation, the install pattern and unknown hosts make this a moderate-to-high malware distribution risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's examples and workflow (SKILL.md) explicitly accept arbitrary external URLs like "image_url", "audio_url", and "video_url" (e.g., the Fabric/PixVerse/OmniHuman and upscaling examples) which the platform will fetch and ingest as part of generating videos, exposing the agent to untrusted third‑party content that can influence processing and outputs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The Quick Start instructs users to execute remote code via curl -fsSL https://cli.inference.sh | sh (which fetches and runs a remote installer at runtime) and the skill relies on that CLI as a required dependency, so this URL directly results in executing remote code.