ai-video-generation

This skill README documents a legitimate-looking AI video-generation integration that depends on installing a third-party CLI (infsh) from inference.sh and then uploading user prompts and media to hosted inference backends. The main security concerns are supply-chain: the README recommends curl | sh installation (download-and-execute) and relies on binaries delivered from domains controlled by the service. That pattern creates a high-risk installation vector because a compromised distribution domain or malicious installer could execute arbitrary code or exfiltrate data/credentials. Functionally, the capabilities (text-to-video, i2v, lipsync) match the described purpose, and there are no obvious hardcoded secrets or obfuscated payloads in the README itself. Overall this is not clearly malicious, but it is a moderate-to-high supply-chain risk due to the install pattern and the fact user data will be sent to external services. Users should prefer manual verification (download checksums, verify signatures), avoid piping unknown scripts to shell, and review what credentials the CLI stores and transmits before installing.