app-store-screenshots

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] No explicit malicious code or obfuscation found in the skill text. The feature set matches the stated purpose (creating screenshots and preview videos). Primary risks are operational: the Quick Start instructs users to run a remote installer via curl | sh and the generation flow sends prompts and any local images to third-party inference services (inference.sh and model backends). That behavior is expected for a remote-model-based skill but introduces privacy and supply-chain risk (exfiltration of images or prompts, execution of remote install script). Recommend reviewers treat the installer and remote endpoints as trust boundaries: verify installer source, inspect installer code before running, and confirm the inference service's privacy/retention policies before uploading sensitive assets. LLM verification: The SKILL.md is functionally benign as documentation for generating app store assets, but it contains a high-risk installation pattern (curl | sh) and instructs users to upload prompts/images and provide credentials to third-party inference services without describing data handling. These behaviors create a moderate supply-chain and data-exfiltration risk. If the CLI/installer and backends are audited and trusted, the skill is usable for its purpose; otherwise treat it as suspicious and avoid ru