ai-avatar-video

This skill documentation describes a legitimate-seeming media generation workflow that relies on a third-party CLI (infsh) and hosted inference services. The primary security concern is supply-chain and exfiltration risk: the README directs users to run a curl | sh installer and to use a CLI that stores credentials and uploads media to the inference.sh service. There is no evidence of explicit malicious code or obfuscation in the provided text, but the installer pattern, custom distribution domains, and reliance on remote binaries and npm packages create a moderate supply-chain risk. Users should avoid pipe-to-shell installs, verify checksums/signatures out-of-band, and treat the infsh CLI as privileged software before granting credentials or uploading sensitive media.