google-veo

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The URLs point to a single third‑party site (inference.sh) with documentation, a remote installer (curl | sh to https://cli.inference.sh), binaries served from dist.inference.sh and a checksum file — not obviously malicious but executing a remote shell installer and fetching executables from a less‑known domain is potentially risky and could be abused if the site or distribution is compromised.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The Quick Start uses "curl -fsSL https://cli.inference.sh | sh", which fetches and immediately executes a remote install script (https://cli.inference.sh) required to install the infsh CLI that the skill uses to run models.