ai-marketing-videos

[Skill Scanner] Pipe-to-shell or eval pattern detected The skill appears functionally consistent with its stated purpose (creating AI marketing videos using the inference.sh hosted platform). There is no direct evidence of embedded malware or obfuscated malicious code in the provided skill file. However, there are supply-chain and privacy risks: the docs direct users to run a remote install script (curl | sh) and the skill routes all prompts/media through the inference.sh service (third‑party data exposure). The allowed-tools entry is broad and increases the impact if the skill is misused. Recommend treating the installer and inference.sh endpoint as high-trust components: verify installer integrity, review CLI source before executing, and avoid sending sensitive materials to the hosted service without contractual/privacy assurances. LLM verification: SUSPICIOUS. The skill’s stated purpose (marketing video generation) is plausible, but the installer pattern curl | sh from an unverified remote source and subsequent execution of remote-initialized tooling present a non-trivial supply-chain risk. Best-practice would require verifiable distribution (signed artifacts, pinned checksums, or a trusted package manager), explicit integrity checks, and clear security prompts or sandboxing for remote code execution. Data flows show remote code execution