content-repurposing

This skill is functionally benign given its stated purpose (content repurposing), but it has non-trivial supply-chain and privacy risks. The biggest issues are the recommended curl | sh installer (download-and-execute), reliance on inference.sh/dist.inference.sh as a central runtime and upload target, and examples that upload local files and invoke social-posting apps without describing credential handling or per-action approval. These behaviors are disproportionate to a purely instructional SKILL.md: a content-repurposing guide should avoid recommending remote arbitrary binary execution and should document how credentials and local files are protected. Recommend: avoid piping remote scripts into sh, require explicit checksum verification or distribution via official package managers, document credential storage and consent flows, and limit allowed-tools scope. Overall: supply-chain risk is moderate — the content is not clearly malicious, but it contains patterns (download-execute, credential forwarding, remote uploads) that increase the chance of credential exposure or data exfiltration if the inference.sh infrastructure or packages are compromised.