video-ad-specs

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These URLs point to an unfamiliar domain and the recommended installation uses "curl | sh" to fetch and execute a remote installer that then downloads binaries and an unsigned checksum file from the same unverified host — a high‑risk distribution pattern that can deliver malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Quick Start instructs running "curl -fsSL https://cli.inference.sh | sh" (which downloads and executes a remote installer that in turn pulls binaries from dist.inference.sh) and that installer is required to get the infsh CLI used by the skill, so it clearly executes remote code at runtime.