ai-product-photography

[Skill Scanner] Pipe-to-shell or eval pattern detected This skill is coherent and consistent with its stated purpose: it provides examples to run an inference.sh CLI to generate and post-process product images. I found no signs of direct malicious code, obfuscation, or hardcoded credentials in the provided text. However, there are supply-chain and privacy risks: the installer pattern (curl | sh), broad allowed-tools wildcard, and the fact that user prompts/images and login credentials are sent to third-party hosted inference services. These are legitimate operational risks that require users to trust the inference.sh operator and to be cautious when running remote installers or granting wide agent permissions. LLM verification: The skill documentation is functionally coherent with its stated purpose (AI product photography), but it contains supply-chain risk indicators: it instructs users to install a remote CLI via curl | sh and to authenticate/login to a third-party service (inference.sh) that likely proxies prompts, images, and tokens. There is no direct evidence of embedded malware in the SKILL.md text, but the install-and-proxy pattern raises legitimate suspicion for credential or data collection. Recommendation: