product-hunt-launch

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These URLs point to an unknown third‑party domain and the prompt instructs curl | sh from https://cli.inference.sh, which is a direct download-and-execute of an unsigned shell installer from an untrusted source and therefore suspicious.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs running web-search apps (e.g., "infsh app run tavily/search-assistant --input {"query": "Product Hunt top launches this week SaaS tools"}" in the Quick Start and Research sections), which fetches and has the agent read untrusted public web/social content (Product Hunt/search results) that will influence launch decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Quick Start instructs running "curl -fsSL https://cli.inference.sh | sh" which fetches and executes remote code at runtime (required to install/use the infsh CLI used to run prompt-driven apps like falai/flux-dev-lora), so the https://cli.inference.sh URL is a high-risk runtime dependency.