social-media-carousel

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). Yes — both domains serve a direct shell-install endpoint (cli.inference.sh) and the skill instructs piping a remote .sh into sh (curl ... | sh) from an unverified domain, which is a high-risk distribution pattern for malware even if the project is legitimate.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's Quick Start instructs users to run "curl -fsSL https://cli.inference.sh | sh" which fetches and immediately executes a remote install script (remote code execution) and is required to install the infsh CLI used throughout the skill, so this is a high-risk runtime dependency: https://cli.inference.sh