og-image-design

[Skill Scanner] Pipe-to-shell or eval pattern detected The artifact is documentation for an OG-image generation workflow that delegates rendering to hosted services via the infsh CLI. I found no explicit malicious code in the provided text, but there are notable supply-chain and data-exfiltration risks: executing a remote installer via `curl | sh`, broad allowed-tool privileges, and examples that transmit arbitrary HTML/prompts and require login tokens to remote services without disclosure of data handling practices. Treat the operational instructions as higher-risk: verify the installer and endpoints, avoid sending secrets, and restrict execution privileges before using. LLM verification: The SKILL.md itself contains benign examples and instructions matching its stated purpose (OG image design). However, it recommends installing and running a remote installer via curl | sh and depends on a hosted inference service (inference.sh, and third-party model endpoints). Those distribution and data-flow choices raise supply-chain and privacy concerns: executing a remote installer without verification and sending HTML/prompts and credentials to remote servers increase risk. There is no dir