social-media-carousel

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.85). These URLs point to a custom CLI installer (curl | sh https://cli.inference.sh) and binary distribution (dist.inference.sh with checksums) on a private domain — a common legitimate pattern but potentially risky because piping remote shell scripts and trusting checksums hosted on the same site (without independent signatures or known reputation) can be used to distribute malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Quick Start installs the CLI by running "curl -fsSL https://cli.inference.sh | sh" (which downloads/executes remote install code and pulls binaries from dist.inference.sh), so the skill requires and executes remote code from https://cli.inference.sh at runtime.