product-photography

[Skill Scanner] Pipe-to-shell or eval pattern detected This SKILL.md is coherent with its stated purpose (AI product photography) and mostly benign in content, but it exhibits supply-chain and privacy risks: it instructs users to run an installer via `curl | sh`, requires login credentials for a third-party CLI, and routes all prompts and image uploads through inference.sh and external model providers without explicit privacy/retention disclosures. These behaviors are proportionate to the photo-generation purpose but increase the attack surface (installer execution and credential/data centralization). Recommend treating the installer and service as an untrusted third party: inspect the install script before running, understand the CLI's credential storage and retention policy, avoid uploading sensitive images, and prefer vetted installers or package-manager installs when possible. LLM verification: No explicit malicious code appears in the provided skill text itself — it is documentation and examples — but the recommended installation and execution pattern (curl https://cli.inference.sh | sh plus a login step) creates a high-risk supply-chain and credential-exfiltration surface. The skill's capabilities (remote image generation) align with its purpose, but install & data-flow practices are insufficiently transparent and disproportionally powerful for a simple prompt library. Treat this as