social-media-carousel

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] The best report (Report 1) correctly identifies the fragment as a benign design/template for AI-assisted carousel generation with standard external-distributor risk. Its assessment emphasizes the main security concerns: dependency on external binaries, checksum verification, and potential data exposure via payloads to rendering services. To improve, add explicit security controls (signatures, TLS, local rendering option) and privacy/data governance notes for any external AI rendering steps. Overall, the fragment is benign in intent but requires standard supply-chain hygiene around binaries and data flows. LLM verification: The skill documentation is functionally coherent with its stated purpose (rendering HTML to social-media carousel images via the infsh CLI). It contains a risky installation pattern (curl | sh) that executes remote code and examples that upload user content and require login to a remote service. Those operational risks (remote code execution at install and potential data/credential transmission to inference.sh) merit caution, but there is no direct evidence in this SKILL.md of intentional malwar