ai-product-photography

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These point to a non-standard domain that instructs users to curl and pipe a remote shell script (https://cli.inference.sh | sh) — a high‑risk pattern because it fetches and executes unreviewed code from an unverified source (the image URL is likely benign but hosted on the same domain), so the distribution channel could be used to deliver malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The Quick Start contains a runtime command that pipes a remote script into a shell ("curl -fsSL https://cli.inference.sh | sh"), so https://cli.inference.sh is fetched and executed and is a required installer for the infsh CLI used by the skill.