background-removal

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These URLs are suspicious because the skill instructs piping a shell installer from an unverified third‑party domain (curl -fsSL https://cli.inference.sh | sh), a direct remote‑script execution pattern that is a high‑risk malware distribution vector even though the image and docs URLs themselves are lower risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill accepts arbitrary public image URLs (e.g., the "image_url": "https://your-photo.jpg" / "" parameters in the infsh app run examples) and fetches those remote images for processing, exposing the agent to untrusted third-party content.