ai-rag-pipeline

[Skill Scanner] Pipe-to-shell or eval pattern detected The skill's stated purpose and capabilities are consistent with the provided examples (building RAG pipelines). There is no direct evidence of obfuscated or explicitly malicious code in the documented files. However this skill relies on installing a remote script (curl | sh) and routing all queries, extracted content, and credentials through the inference.sh platform and third-party apps (Tavily, Exa, OpenRouter). That central proxying and the installer pattern pose supply-chain and data-exfiltration risks if the platform or its apps are malicious or compromised. Recommendation: treat this as SUSPICIOUS rather than benign — inspect the installer script and the infsh binary before running, check the platform's privacy/retention policy, prefer direct official provider integrations when handling sensitive data, and use least-privilege credentials (limited-scope API keys) when possible. LLM verification: This SKILL.md is functionally coherent with its stated purpose (building RAG pipelines) and uses remote search/extract/LLM services as expected. However, it contains a high-risk installation pattern (curl ... | sh) and relies on intermediary hosted services (inference.sh, tavily, exa, openrouter) without documenting data handling, retention, or whether API credentials are proxied. The immediate malware probability is low (no explicit malicious code in the document itself), but the installer and