data-visualization

[Skill Scanner] Pipe-to-shell or eval pattern detected This skill is documentation for data visualization that legitimately uses a third-party hosted execution service (inference.sh) to run plotting code. There is no direct evidence of obfuscated or malicious code inside the provided text. The main security concerns are supply-chain/trust related: the quick-start recommends piping a remote installer to sh (dangerous by pattern) and all example payloads send code/data to a remote executor, which could leak sensitive data or credentials if users include them. Treat the remote service as a trust boundary: do not send secrets or sensitive datasets to it without review. Overall the content appears benign, but the installation and remote-execution patterns warrant caution. LLM verification: The skill's code snippets are benign, matching the stated purpose (data visualization). However the Quick Start recommending 'curl https://cli.inference.sh | sh' and the pattern of sending raw Python to a remote executor (infsh/python-executor) are suspicious from a supply-chain and data-exfiltration perspective. They expand trust boundaries unnecessarily and could expose code and secrets to a third party or execute unverified installer code locally. I classify this as SUSPICIOUS rather than mal