video-ad-specs

[Skill Scanner] Pipe-to-shell or eval pattern detected This SKILL.md describes legitimate-sounding workflows for generating platform-specific video ads and delegates work to an external CLI/service (inference.sh) and model apps. I found no direct malicious code or obfuscation in the provided text. Primary security concerns are: (1) the use of curl | sh to install the CLI (runs remote installer without integrity checks), (2) all prompt text and media examples are uploaded to third-party services (inference.sh and named model providers) which may retain or process data — the doc gives no privacy/retention guidance, and (3) allowed-tools and example commands let the agent invoke many remote apps, increasing the attack surface. These are suspicious operational/supply-chain risks but not evidence of embedded malware. Recommend vetting the inference.sh installer (review its install script and provenance), auditing the remote services' privacy/retention policies before sending sensitive prompts or media, and preferring verified installers/checksums. LLM verification: The skill documentation is legitimate for producing platform-specific video ads and demonstrates plausible cloud-based workflows. The main security issues are supply-chain and data-exfiltration risks: the 'curl | sh' installer pattern executes remote code without review, and example commands upload prompts and media to opaque third-party endpoints without describing data handling, retention, or auth scopes. I found no explicit malicious payload or obfuscated code in the provided fragment, but th