agent-tools

This skill document describes a legitimate-seeming CLI (inference.sh) for running many AI apps. The main security concerns are supply-chain and credential risks from the recommended quick-install pattern (curl | sh) and from broad capabilities that act on behalf of the user (posting to Twitter/X, automations). The documentation claims checksum and signature verification are available, which mitigates risk when used, but the quick-install invocation encourages skipping manual verification. The documentation does not make data-flow details explicit (whether credentials or inputs are proxied through inference.sh backend), which increases uncertainty about possible credential harvesting or data leakage. I assess this as medium security risk: not clearly malicious, but the distribution and capabilities warrant cautious use (manual verification of binaries, inspect installer script before running, limit credentials and scope, and prefer manual install and least-privilege API tokens).