character-design-sheet

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] No explicit malware found in the provided skill text. The main security concerns are supply-chain and data-exposure risks: (1) the recommended curl | sh installer pattern is unsafe unless the user independently verifies checksums; (2) the workflow may upload local LoRA files and images to a third-party inference service, exposing IP and prompts; (3) the skill grants broad Bash execution capabilities which are higher risk than the described purpose strictly requires. Overall this is operationally SUSPICIOUS — useful and coherent for the stated purpose but carries non-trivial supply-chain and data-exfiltration risks that require user caution and manual verification. LLM verification: This SKILL.md is consistent with its stated purpose (instructions for using inference.sh to create consistent character design sheets). The main supply-chain risk is the use of curl | sh to install the CLI and the fact that all prompts/images/credentials are routed to the inference.sh ecosystem — acceptable only if the user trusts that provider. There is no evidence of obfuscated or explicitly malicious code in the document itself. Recommend: avoid blindly piping installers to shell; verify chec