data-visualization

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). Both URLs point to an unverified domain (inference.sh / cli.inference.sh) that is being used to deliver a shell installer (curl ... | sh), and executing remote scripts or installing binaries from an unfamiliar site allows arbitrary code execution and is therefore high risk unless you can independently verify the publisher and inspect the exact script/binaries.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's Quick Start tells users to run "curl -fsSL https://cli.inference.sh | sh", which fetches and immediately executes remote installer code from https://cli.inference.sh and is required for the subsequent infsh runtime commands, so it directly executes remote code at runtime.