flux-image

This skill documentation describes using a third-party CLI (infsh) and hosted inference service (inference.sh) to run FLUX models. The primary security concerns are supply-chain and credential risks from the curl|sh installer pattern and trusting remote binaries (dist.inference.sh). Requiring `infsh login` means user credentials will be sent to the service; this is expected but sensitive. There is no direct evidence of malicious code, hardcoded secrets, obfuscation, or covert exfiltration in the fragment, but the download-and-execute pattern and dependency on an opaque CLI justify a moderate security risk posture. Recommend users avoid unattended curl|sh installs, verify checksums manually, review the infsh binary source or install from a package manager if available, and review infsh's credential storage and privacy policy before use.