competitor-teardown

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). The instruction to run a remote shell script via "curl -fsSL https://cli.inference.sh | sh" (direct download-and-execute from a non-standard third-party domain) is a high-risk indicator for malware distribution, even though the competitor.com pages themselves look like normal site pages.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly runs web-fetching tools (infsh/agent-browser, tavily/extract, tavily/search-assistant, exa/search) to screenshot and scrape competitor websites and mine reviews from public, user-generated sources like G2, Capterra, Reddit, Product Hunt, App Store and Google Play, which the agent ingests and analyzes.