ai-social-media-content

[Skill Scanner] Pipe-to-shell or eval pattern detected This skill appears functionally consistent with its stated purpose (AI-based social media content generation). I did not find hardcoded secrets, obfuscated code, or explicit backdoors in the provided document. However, there are supply-chain and privacy risks: the recommended installer executes a remote script (curl | sh), all activity is routed through the inference.sh intermediary and multiple third-party backends, and the allowed-tools wildcard grants broad permission to run arbitrary infsh commands. These characteristics make the skill SUSPICIOUS from a supply-chain/data-exfiltration perspective (centralized handling of prompts, generated media, and credentials). Recommend: review the inference.sh installer script before running, verify the trustworthiness and privacy policies of inference.sh and listed backends, and limit allowed tooling/permissions to the minimum required before using with real credentials or sensitive content. LLM verification: No clear malicious code is present in the provided SKILL.md content; the skill's capabilities match its stated purpose. However there are operational supply-chain risks: the docs instruct users to run a remote install script piped to sh (high-risk install pattern), and all prompts/media/possibly credentials are routed through a single third-party service (inference.sh) with no disclosure about storage, retention, or token handling. Treat the installer and the inference.sh service as high-trust c