background-removal

This package/documentation describes a hosted background-removal workflow that relies on installing and running a third-party CLI (infsh) and sending images to inference.sh for processing. The main security concerns are: (1) the recommended pipe-to-shell installer pattern (curl | sh) which is high-risk, (2) data-exfiltration/privacy risk because images are processed by a remote service with no stated retention or privacy guarantees in the docs, and (3) wider supply-chain exposure from fetching binaries from dist.inference.sh and using npx to add skills. No explicit malicious code was evident in the documentation itself, but the installer and binaries should be audited before trusted deployment. Recommendations: avoid pipe-to-shell; fetch, inspect, and verify installer scripts and binary signatures/checksums before execution; confirm TLS, retention, and privacy policies of inference.sh; restrict CLI permissions and audit any npm skill packages prior to installation.